-
Notifications
You must be signed in to change notification settings - Fork 582
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Crates with paths differing only by case are allowed #8410
Labels
A-backend ⚙️
C-enhancement ✨
Category: Adding new behavior or a change to the way an existing feature works
Comments
we currently only check this scenario for Cargo.toml files, but I tend to agree that we might want to restrict this to all files. @rust-lang/crates-io any thoughts on this? |
Turbo87
added
C-enhancement ✨
Category: Adding new behavior or a change to the way an existing feature works
A-backend ⚙️
labels
Apr 8, 2024
I don't think there's a legitimate case where anyone would actually want this, so yes, I'd be supportive of checking this on publish. |
Reopening, since we ended up reverting #8788. (See that PR for details.) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
A-backend ⚙️
C-enhancement ✨
Category: Adding new behavior or a change to the way an existing feature works
Current Behavior
It's possible to have a tarball that contains multiple files with paths that are identical except case, e.g.
readme.md
andREADME.MD
. On case-insensitive file systems on of these will overwrite the other. Tricks like these could confuse tools or even hide files from code reviews performed on macOS or Windows.e.g. Cargo can pacakge duplicate
cargo.lock
file, andcargo.toml
breaks docs.rs but not crates.io.I haven't checked whether it's still allowed to have completely duplicate paths, but there are many old crates with duplicate files, e.g. two
Cargo.toml.orig
files: https://crates.io/crates/nucleo-f103rb/0.3.0Expected Behavior
I think it'd be best if crates.io refused to accept any tarballs with potentially duplicate paths. It's not sufficient to rely on
cargo publish
to work correctly, because attackers could upload arbitrary tarballs. Even if crates.io could safely deal with weird tarballs, they can be causing trouble in 3rd party tools.Steps To Reproduce
No response
Environment
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered: