The supplied systemd unit file places some basic security restrictions
on the rest service. This patch enhances those, and improves the
overall security assessment score given by `systemd-analyze security`
from "8.3 EXPOSED" to "1.3 OK".
Closes#148
Using docker's multi-stage builds we can build the restic/rest-server
within a golang build environment then create a container for use
(without the build environment) in a second build stage.
The advantages are:
1. Building the rest-server is predictable in a pristine environment
each time.
2. Container builds ensure we get the latest rest-server every time.
Updated README with details of new docker build approach, and added
changelog for unreleased changes.
"/" is valid char in HTTP authorization headers, but is also used in
rest-server to map usernames to private repos.
This commit prevents loading maliciously composed usernames like
"/foo/config" by restricting the allowed characters to the unicode
character class, numbers, "-", "." and "@".
Closes#131
