diff options
| author | murilo ijanc | 2026-03-25 15:26:44 -0300 |
|---|---|---|
| committer | murilo ijanc | 2026-03-25 15:30:45 -0300 |
| commit | 62b68cc461b5e298add3ab190fe9a38f3efefe7a (patch) | |
| tree | 8a5d62e2ab6736ae19d55b86f193537d58f6b45b /src/daemon.rs | |
| parent | b6e3f14ebd0601b1604dcb29fba07b6446a140b7 (diff) | |
| download | tesseras-paste-62b68cc461b5e298add3ab190fe9a38f3efefe7a.tar.gz | |
Harden identity key permissions, atomic writes, and HTTP method
- Write identity.key with mode 0600 to prevent other users from
reading the Ed25519 private seed
- Use destination filename in atomic_write temp path to avoid
collisions between concurrent writes to different files
- Reject HTTP methods other than GET/HEAD with 405
- Return "Hello Tesseras World" on GET /
Diffstat (limited to 'src/daemon.rs')
| -rw-r--r-- | src/daemon.rs | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/src/daemon.rs b/src/daemon.rs index 88e3a09..f12efd9 100644 --- a/src/daemon.rs +++ b/src/daemon.rs @@ -413,8 +413,10 @@ fn handle_http( }; let request = String::from_utf8_lossy(&buf[..n]); - // Parse "GET /<path> HTTP/1.x" - let path = match request.split_whitespace().nth(1) { + // Parse "METHOD /<path> HTTP/1.x" + let mut parts = request.split_whitespace(); + let method = parts.next().unwrap_or(""); + let path = match parts.next() { Some(p) => p, None => { http_response(&mut stream, 400, "text/plain", b"Bad Request"); @@ -422,8 +424,18 @@ fn handle_http( } }; + if method != "GET" && method != "HEAD" { + http_response(&mut stream, 405, "text/plain", b"Method Not Allowed"); + return; + } + if path == "/" || path == "/favicon.ico" { - http_response(&mut stream, 200, "text/plain", b"tesseras-paste\n"); + http_response( + &mut stream, + 200, + "text/plain", + b"Hello Tesseras World\n", + ); return; } @@ -539,6 +551,7 @@ fn http_response( 200 => "OK", 400 => "Bad Request", 403 => "Forbidden", + 405 => "Method Not Allowed", 404 => "Not Found", 500 => "Internal Server Error", _ => "Unknown", |