From a4c1c6fa2abe81f5b868ea8c0032858f46ef2d46 Mon Sep 17 00:00:00 2001 From: Eric Huss Date: Thu, 21 Nov 2019 10:56:13 -0800 Subject: [PATCH 1/2] Extend documentation on security concerns of crate names in a registry. --- src/doc/src/reference/registries.md | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/src/doc/src/reference/registries.md b/src/doc/src/reference/registries.md index 868bb45a209..9eaf523586d 100644 --- a/src/doc/src/reference/registries.md +++ b/src/doc/src/reference/registries.md @@ -159,12 +159,23 @@ directories: > package names in `Cargo.toml` and the index JSON data are case-sensitive and > may contain upper and lower case characters. -Registries may want to consider enforcing limitations on package names added -to their index. Cargo itself allows names with any [alphanumeric], `-`, or `_` -character. For example, [crates.io] imposes relatively strict limitations, -such as requiring it to be a valid Rust identifier, only allowing ASCII -characters, under a specific length, and rejects reserved names such as -Windows special filenames like "nul". +Registries should consider enforcing limitations on package names added to +their index. Cargo itself allows names with any [alphanumeric], `-`, or `_` +characters. [crates.io] imposes its own limitations, including the following: + +- Only allows ASCII characters. +- Only alphanumeric, `-`, and `_` characters. +- First character must be alphabetic. +- Case-insensitive collision detection. +- Prevent differences of `-` vs `_`. +- Under a specific length (max 64). +- Rejects reserved names, such as Windows special filenames like "nul". + +Registries should consider incorporating similar restrictions, and consider +the security implications, such as [IDN homograph +attacks](https://en.wikipedia.org/wiki/IDN_homograph_attack) and other +concerns in [UTR36](https://www.unicode.org/reports/tr36/) and +[UTS39](https://www.unicode.org/reports/tr39/). Each line in a package file contains a JSON object that describes a published version of the package. The following is a pretty-printed example with comments From 0ab0b8f2b3451f2840f91621a91f3236bcd2bddd Mon Sep 17 00:00:00 2001 From: Eric Huss Date: Mon, 18 Nov 2019 16:01:31 -0800 Subject: [PATCH 2/2] Add hack for fwdansi change. --- tests/testsuite/cache_messages.rs | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/tests/testsuite/cache_messages.rs b/tests/testsuite/cache_messages.rs index f46fd1d0e82..4a0b01981dd 100644 --- a/tests/testsuite/cache_messages.rs +++ b/tests/testsuite/cache_messages.rs @@ -95,6 +95,20 @@ fn color() { // Check enabling/disabling color. let p = project().file("src/lib.rs", "fn a() {}").build(); + // Hack for issue in fwdansi 1.1. It is squashing multiple resets + // into a single reset. + // https://github.com/kennytm/fwdansi/issues/2 + fn normalize(s: &str) -> String { + #[cfg(windows)] + return s.replace("\x1b[0m\x1b[0m", "\x1b[0m"); + #[cfg(not(windows))] + return s.to_string(); + }; + + let compare = |a, b| { + assert_eq!(normalize(a), normalize(b)); + }; + let agnostic_path = Path::new("src").join("lib.rs"); let agnostic_path_s = agnostic_path.to_str().unwrap(); // Capture the original color output. @@ -121,21 +135,21 @@ fn color() { .cargo("check -q --color=always") .exec_with_output() .expect("cargo to run"); - assert_eq!(rustc_color, as_str(&cargo_output1.stderr)); + compare(rustc_color, as_str(&cargo_output1.stderr)); // Replay cached, with color. let cargo_output2 = p .cargo("check -q --color=always") .exec_with_output() .expect("cargo to run"); - assert_eq!(rustc_color, as_str(&cargo_output2.stderr)); + compare(rustc_color, as_str(&cargo_output2.stderr)); // Replay cached, no color. let cargo_output_nocolor = p .cargo("check -q --color=never") .exec_with_output() .expect("cargo to run"); - assert_eq!(rustc_nocolor, as_str(&cargo_output_nocolor.stderr)); + compare(rustc_nocolor, as_str(&cargo_output_nocolor.stderr)); } #[cargo_test]