Skip to content

Return errors if metadata name or version do not match manifest #10960

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 9, 2025
Merged

Return errors if metadata name or version do not match manifest #10960

merged 1 commit into from
Apr 9, 2025

Conversation

@Turbo87
Copy link
Member

@Turbo87 Turbo87 commented Apr 8, 2025

We currently get the package name and version in three places in a publish request: the JSON metadata blob, the path prefix inside the crate tarball, and the Cargo.toml manifest inside the crate tarball. Up until now we were primarily relying on the JSON metadata and verifying the path prefixes. Apparently we were not checking the content of the Cargo.toml manifest though.

This PR fixes the issue by explicitly checking the manifest fields too and returning errors in case of a mismatch.

@Turbo87 Turbo87 added C-bug 🐞 Category: unintended, undesired behavior A-backend ⚙️ labels Apr 8, 2025
@Turbo87 Turbo87 requested review from a team and Copilot April 8, 2025 10:25
Copilot AI reviewed Apr 8, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

@Turbo87
Copy link
Member Author

Turbo87 commented Apr 9, 2025

since this fixes a significant bug I'll go ahead and merge it. I'd still appreciate a review afterwards if anyone has time :)

@Turbo87 Turbo87 merged commit 8cb23a6 into rust-lang:main Apr 9, 2025
9 checks passed
@Turbo87 Turbo87 deleted the manifest-mismatch branch April 9, 2025 06:49
LawnGnome
LawnGnome reviewed Apr 9, 2025
View reviewed changes
Copy link
Contributor

@LawnGnome LawnGnome left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After the fact: LGTM. I don't see any downside to doing this. 👍

@Turbo87 Turbo87 moved this to For next meeting in crates.io team meetings Apr 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@LawnGnome LawnGnome LawnGnome left review comments

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

A-backend ⚙️ C-bug 🐞 Category: unintended, undesired behavior

Projects

crates.io team meetings
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Turbo87 @LawnGnome