search

tomaka / rouille

Web framework in Rust
Apache License 2.0
1.12k stars 106 forks source link

Use pure Rust brotli library #124

Open tomaka opened 7 years ago

tomaka commented 7 years ago

Very long term issue.

gilescope commented 4 years ago

Seems like there are pure rust drop in replacements. For now we've turned this feature off as it was causing compile issues on some machines.

Rust all the way down :-)

AndreKR commented 3 years ago

For quick reference, the brotli-sys dependency can be turned off in Cargo.toml [dependencies] using

rouille = { version = "3.0.0", default-features = false, features = ["gzip"] }
gilescope commented 3 years ago

Excellent. Pure rust FTW!

On Tue, 2 Mar 2021 at 14:16, AndreKR notifications@github.com wrote:

For quick reference, the brotli-sys dependency can be turned off in Cargo.toml [dependencies] using

rouille = { version = "3.0.0", default-features = false, features = ["gzip"] }

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/tomaka/rouille/issues/124#issuecomment-788940139, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGEJCD2CIGJJHH4UHC6JNTTBTXNLANCNFSM4C2A22KA .

mleonhard commented 3 years ago

This is important because the brotli2 crate has a known security problem. The PR to fix it was abandoned.

travispaul commented 2 years ago

Looks like this was implemented in v3.5.0:

Replaced our use of the brotli2 crate with the alternative pure Rust implementation brotli. This removes Rouille's vulnerability to RUSTSEC-2021-0131, which existed due to brotli-sys bundling a vulnerable version of the underlying C library.

AndreKR commented 2 years ago

I can confirm that rouille now builds out of the box with no special feature config. By the way, this is true for the pure-Rust brotli (I'm assuming that's what brotli-decompressor is) but also for more recent brotli2 versions (the older ones didn't build on Windows).

First I let Cargo choose (rouille = "*") and it chose 3.2.1:

   Compiling brotli-sys v0.3.2
   Compiling brotli2 v0.3.2
   Compiling rouille v3.2.1

Then I forced 3.5.0 and it also builds fine out of the box:

   Compiling libc v0.2.116
   Compiling alloc-no-stdlib v2.0.3
   Compiling time v0.3.7
   Compiling alloc-stdlib v0.2.1
   Compiling brotli-decompressor v2.3.2
   Compiling num_cpus v1.13.0
   Compiling time v0.1.43
   Compiling tokio v1.8.1
   Compiling rayon-core v1.9.1
   Compiling dashmap v4.0.2
   Compiling threadpool v1.8.1
   Compiling chrono v0.4.19
   Compiling brotli v3.3.3
   Compiling rayon v1.5.1
   Compiling waitcache v0.1.2
   Compiling tiny_http v0.8.2
   Compiling tokio-util v0.6.7
   Compiling tokio-rustls v0.22.0
   Compiling jpeg-decoder v0.1.22
   Compiling h2 v0.3.3
   Compiling rouille v3.5.0
   Compiling tiff v0.6.1
   Compiling image v0.23.14
   Compiling hyper v0.14.10
   Compiling hyper-rustls v0.22.1
   Compiling reqwest v0.11.4