Skip to content

Commit

Permalink
Auto merge of #7619 - ehuss:beta-registry-doc, r=Eh2406
Browse files Browse the repository at this point in the history
[beta] Extend documentation on security concerns of crate names in a registry.

Beta backport of #7616 requested at #7616 (comment).
  • Loading branch information
bors committed Nov 22, 2019
2 parents 5da4b4d + 0ab0b8f commit bc8e4c8
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 9 deletions.
23 changes: 17 additions & 6 deletions src/doc/src/reference/registries.md
Original file line number Diff line number Diff line change
Expand Up @@ -159,12 +159,23 @@ directories:
> package names in `Cargo.toml` and the index JSON data are case-sensitive and
> may contain upper and lower case characters.
Registries may want to consider enforcing limitations on package names added
to their index. Cargo itself allows names with any [alphanumeric], `-`, or `_`
character. For example, [crates.io] imposes relatively strict limitations,
such as requiring it to be a valid Rust identifier, only allowing ASCII
characters, under a specific length, and rejects reserved names such as
Windows special filenames like "nul".
Registries should consider enforcing limitations on package names added to
their index. Cargo itself allows names with any [alphanumeric], `-`, or `_`
characters. [crates.io] imposes its own limitations, including the following:

- Only allows ASCII characters.
- Only alphanumeric, `-`, and `_` characters.
- First character must be alphabetic.
- Case-insensitive collision detection.
- Prevent differences of `-` vs `_`.
- Under a specific length (max 64).
- Rejects reserved names, such as Windows special filenames like "nul".

Registries should consider incorporating similar restrictions, and consider
the security implications, such as [IDN homograph
attacks](https://en.wikipedia.org/wiki/IDN_homograph_attack) and other
concerns in [UTR36](https://www.unicode.org/reports/tr36/) and
[UTS39](https://www.unicode.org/reports/tr39/).

Each line in a package file contains a JSON object that describes a published
version of the package. The following is a pretty-printed example with comments
Expand Down
20 changes: 17 additions & 3 deletions tests/testsuite/cache_messages.rs
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,20 @@ fn color() {
// Check enabling/disabling color.
let p = project().file("src/lib.rs", "fn a() {}").build();

// Hack for issue in fwdansi 1.1. It is squashing multiple resets
// into a single reset.
// https://github.com/kennytm/fwdansi/issues/2
fn normalize(s: &str) -> String {
#[cfg(windows)]
return s.replace("\x1b[0m\x1b[0m", "\x1b[0m");
#[cfg(not(windows))]
return s.to_string();
};

let compare = |a, b| {
assert_eq!(normalize(a), normalize(b));
};

let agnostic_path = Path::new("src").join("lib.rs");
let agnostic_path_s = agnostic_path.to_str().unwrap();
// Capture the original color output.
Expand All @@ -121,21 +135,21 @@ fn color() {
.cargo("check -q --color=always")
.exec_with_output()
.expect("cargo to run");
assert_eq!(rustc_color, as_str(&cargo_output1.stderr));
compare(rustc_color, as_str(&cargo_output1.stderr));

// Replay cached, with color.
let cargo_output2 = p
.cargo("check -q --color=always")
.exec_with_output()
.expect("cargo to run");
assert_eq!(rustc_color, as_str(&cargo_output2.stderr));
compare(rustc_color, as_str(&cargo_output2.stderr));

// Replay cached, no color.
let cargo_output_nocolor = p
.cargo("check -q --color=never")
.exec_with_output()
.expect("cargo to run");
assert_eq!(rustc_nocolor, as_str(&cargo_output_nocolor.stderr));
compare(rustc_nocolor, as_str(&cargo_output_nocolor.stderr));
}

#[cargo_test]
Expand Down

0 comments on commit bc8e4c8

Please sign in to comment.