Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CoapResponse and CoapRequest #1

Merged
merged 4 commits into from
Nov 25, 2020
Merged

Add CoapResponse and CoapRequest #1

merged 4 commits into from
Nov 25, 2020

Conversation

jiayihu
Copy link
Contributor

@jiayihu jiayihu commented Nov 24, 2020

Sorry many lines are just automatic formatting on save by fmt, I hope it's not an issue

@Covertness Covertness mentioned this pull request Nov 25, 2020
Closed
@martindisch
Copy link
Owner

It looks like the tool you used for formatting the code does not adhere to the same style as cargo fmt, or at least it disregarded the line length rule defined in .rustfmt.toml. After applying the "default" formatting, the changes became much more clear.

I made some more small changes and will be releasing the new version shortly. Thank you for your contribution.

@martindisch martindisch merged commit 2788f41 into martindisch:master Nov 25, 2020
jasta added a commit to jasta/coap-lite that referenced this pull request Mar 10, 2022
@jasta
Deprecate get_path due to security concerns
44c8f99 
get_path is implemented in a way that ignores invalid UTF-8 when
forming the result string.  This allows an attacker to exploit at least
two potential weaknesses with little effort:

1. If coap-rs is used as a proxy to filter paths but forwards requests
using the original input bytes, a malicious request could arrive deeper
inside a network topology than was intended and potentially cause other
issues with less tolerant parsers or handling logic.  For example, let's
say we wanted to block access to "/foo/*" but allow "/foo", one could
encode the path "/foo/<invalid-utf8>" and this would pass our filtering
rules but the forwarding target would unexpectedly be asked to handle a
request with the extra "<invalid-utf8>" segment on it.

2. Generic logging of incoming request paths would not be reliable
making it very difficult to detect a bad actor probing the network
looking for weaknesses related to martindisch#1.  For example, if we had a generic
handler that printed log data using request.get_path() then an attacker
could try URLs like "/foo/<invalid-utf8>/test" while the logger would
report an innocent looking request for "/foo/test".  This would also
make forensics after an attack difficult.
@martindisch martindisch mentioned this pull request Apr 28, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jiayihu @martindisch