You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At this point, there is no authentication sent with the dl endpoint which is bad because it allows a malicious party to find mirrored crates.io crates via their sha256sum.
An RFC rust-lang/cargo#10474 solving this has been recently accepted but not yet implemented. So for now, it might be a good idea to randomize the dl endpoint and store the path with a rotating secret in the registry index.
The text was updated successfully, but these errors were encountered:
At this point, there is no authentication sent with the dl endpoint which is bad because it allows a malicious party to find mirrored crates.io crates via their sha256sum.
An RFC rust-lang/cargo#10474 solving this has been recently accepted but not yet implemented. So for now, it might be a good idea to randomize the dl endpoint and store the path with a rotating secret in the registry index.
The text was updated successfully, but these errors were encountered: