Switch brotli2 for brotli resolving CVE

CVE-2020-8927 affects Brotli versions <1.0.8 and this includes the
version bundled with `brotli-sys`, no updated upstream version exists so
switching to the pure Rust implementation available in `brotli` is the
most sensible course of action.

Cargo.toml

@@ -12,13 +12,12 @@ categories = ["web-programming::http-server", "web-programming::websocket"]
 
 [features]
 default = ["gzip", "brotli"]
-brotli = ["brotli2"]
 gzip = ["deflate"]
 ssl = ["tiny_http/ssl"]
 
 [dependencies]
 base64 = "0.13"
-brotli2 = { version = "0.3.2", optional = true }
+brotli = { version = "3.3.2", optional = true }
 chrono = { version = "0.4.19", default-features = false }
 filetime = "0.2.0"
 deflate = { version = "0.9", optional = true, features = ["gzip"] }

src/content_encoding.rs

@@ -132,7 +132,7 @@ fn gzip(response: &mut Response) {}
 
 #[cfg(feature = "brotli")]
 fn brotli(response: &mut Response) {
-    use brotli2::read::BrotliEncoder;
+    use brotli::enc::reader::CompressorReader;
     use std::mem;
     use ResponseBody;
 
@@ -141,7 +141,8 @@ fn brotli(response: &mut Response) {
         .push(("Content-Encoding".into(), "br".into()));
     let previous_body = mem::replace(&mut response.data, ResponseBody::empty());
     let (raw_data, _) = previous_body.into_reader_and_size();
-    response.data = ResponseBody::from_reader(BrotliEncoder::new(raw_data, 6));
+    // Using default Brotli parameters: 0 buffer_size == 4096, compression level 6, lgwin == 22
+    response.data = ResponseBody::from_reader(CompressorReader::new(raw_data, 0, 6, 22));
 }
 
 #[cfg(not(feature = "brotli"))]

src/lib.rs

@@ -57,8 +57,8 @@
 #![deny(unsafe_code)]
 
 extern crate base64;
-#[cfg(feature = "brotli2")]
-extern crate brotli2;
+#[cfg(feature = "brotli")]
+extern crate brotli;
 extern crate chrono;
 #[cfg(feature = "gzip")]
 extern crate deflate;