Security
-
breaking: Added default limit to how much data
Bytes::from_request
will
consume. Previously it would attempt to consume the entire request body
without checking its length. This meant if a malicious peer sent an large (or
infinite) request body your server might run out of memory and crash.The default limit is at 2 MB and can be disabled by adding the new
DefaultBodyLimit::disable()
middleware. See its documentation for more
details.This also applies to these extractors which used
Bytes::from_request
internally:Form
Json
String
Thanks to Shachar Menashe for reporting this vulnerability.
(#1346)
Routing
- breaking: Adding a
.route_layer
onto aRouter
orMethodRouter
without any routes will now result in a panic. Previously, this just did
nothing. #1327
Middleware
- added: Add
middleware::from_fn_with_state
and
middleware::from_fn_with_state_arc
to enable running extractors that require
state (#1342)