Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extend documentation on security concerns of crate names in a registry. #7616

Merged
merged 1 commit into from
Nov 21, 2019
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 17 additions & 6 deletions src/doc/src/reference/registries.md
Original file line number Diff line number Diff line change
Expand Up @@ -159,12 +159,23 @@ directories:
> package names in `Cargo.toml` and the index JSON data are case-sensitive and
> may contain upper and lower case characters.

Registries may want to consider enforcing limitations on package names added
to their index. Cargo itself allows names with any [alphanumeric], `-`, or `_`
character. For example, [crates.io] imposes relatively strict limitations,
such as requiring it to be a valid Rust identifier, only allowing ASCII
characters, under a specific length, and rejects reserved names such as
Windows special filenames like "nul".
Registries should consider enforcing limitations on package names added to
their index. Cargo itself allows names with any [alphanumeric], `-`, or `_`
characters. [crates.io] imposes its own limitations, including the following:

- Only allows ASCII characters.
- Only alphanumeric, `-`, and `_` characters.
- First character must be alphabetic.
- Case-insensitive collision detection.
- Prevent differences of `-` vs `_`.
- Under a specific length (max 64).
- Rejects reserved names, such as Windows special filenames like "nul".

Registries should consider incorporating similar restrictions, and consider
the security implications, such as [IDN homograph
attacks](https://en.wikipedia.org/wiki/IDN_homograph_attack) and other
concerns in [UTR36](https://www.unicode.org/reports/tr36/) and
[UTS39](https://www.unicode.org/reports/tr39/).

Each line in a package file contains a JSON object that describes a published
version of the package. The following is a pretty-printed example with comments
Expand Down