-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SourceId serialization is ambiguous due to lack of escaping #11085
Labels
A-lockfile
Area: Cargo.lock issues
C-bug
Category: bug
S-needs-design
Status: Needs someone to work further on the design for the feature or fix. NOT YET accepted.
Comments
g2p
added a commit
to g2p/cargo
that referenced
this issue
Sep 14, 2022
This adds a failing test for rust-lang#11085. For some branch names (or tags or refs), generate_lockfile will serialize poorly. Parsing the Cargo.lock will refer to a branch that wasn't the intended one in Cargo.toml. Because a branch name can contain the '#' character, the precise reference could be overriden through a branch/tag/ref as well. This is because serialisation is done with a custom Display implementation that concatenates strings as-is and is unaware that some characters may need escaping; on the other hand, deserialization uses url::Url::query_pairs which assumes <https://url.spec.whatwg.org/#application/x-www-form-urlencoded>.
g2p
added a commit
to g2p/cargo
that referenced
this issue
Sep 14, 2022
Use x-www-form-urlencoded which is the standard for query strings, matching what deserialization expects. https://url.spec.whatwg.org/#application/x-www-form-urlencoded Fixes rust-lang#11085.
g2p
added a commit
to g2p/cargo
that referenced
this issue
Sep 14, 2022
This adds a failing test for rust-lang#11085. For some branch names (or tags or refs), generate_lockfile will serialize poorly. Parsing the Cargo.lock will refer to a branch that wasn't the intended one in Cargo.toml. Because a branch name can contain the '#' character, the precise reference could be corrupted through a branch/tag/ref as well. This is because serialisation is done with a custom Display implementation that concatenates strings as-is and is unaware that some characters may need escaping; on the other hand, deserialization uses url::Url::query_pairs which assumes <https://url.spec.whatwg.org/#application/x-www-form-urlencoded>.
g2p
added a commit
to g2p/cargo
that referenced
this issue
Sep 14, 2022
Use x-www-form-urlencoded which is the standard for query strings, matching what the deserializer expects. https://url.spec.whatwg.org/#application/x-www-form-urlencoded Fixes rust-lang#11085.
g2p
added a commit
to g2p/cargo
that referenced
this issue
Sep 14, 2022
This adds a failing test for rust-lang#11085. For some branch names (or tags or refs), generate_lockfile will serialize poorly. Parsing the Cargo.lock will refer to a branch that wasn't the intended one in Cargo.toml. Because a branch name can contain the '#' character, the precise reference could be corrupted through a branch/tag/ref as well. This is because serialisation is done with a custom Display implementation that concatenates strings as-is and is unaware that some characters may need escaping; on the other hand, deserialization uses url::Url::query_pairs which assumes <https://url.spec.whatwg.org/#application/x-www-form-urlencoded>.
g2p
added a commit
to g2p/cargo
that referenced
this issue
Sep 14, 2022
Use x-www-form-urlencoded which is the standard for query strings, matching what the deserializer expects. https://url.spec.whatwg.org/#application/x-www-form-urlencoded Fixes rust-lang#11085.
g2p
added a commit
to g2p/cargo
that referenced
this issue
Sep 15, 2022
Use x-www-form-urlencoded which is the standard for query strings, matching what the deserializer expects. https://url.spec.whatwg.org/#application/x-www-form-urlencoded Fixes rust-lang#11085.
g2p
added a commit
to g2p/cargo
that referenced
this issue
Sep 15, 2022
This adds a failing test for rust-lang#11085. For some branch names (or tags or refs), generate_lockfile will serialize poorly. Parsing the Cargo.lock will refer to a branch that wasn't the intended one in Cargo.toml. Because a branch name can contain the '#' character, the precise reference could be corrupted through a branch/tag/ref as well. This is because serialisation is done with a custom Display implementation that concatenates strings as-is and is unaware that some characters may need escaping; on the other hand, deserialization uses url::Url::query_pairs which assumes <https://url.spec.whatwg.org/#application/x-www-form-urlencoded>.
g2p
added a commit
to g2p/cargo
that referenced
this issue
Sep 15, 2022
Use x-www-form-urlencoded which is the standard for query strings, matching what the deserializer expects. https://url.spec.whatwg.org/#application/x-www-form-urlencoded Fixes rust-lang#11085.
weihanglo
added
the
S-needs-design
Status: Needs someone to work further on the design for the feature or fix. NOT YET accepted.
label
Apr 25, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
A-lockfile
Area: Cargo.lock issues
C-bug
Category: bug
S-needs-design
Status: Needs someone to work further on the design for the feature or fix. NOT YET accepted.
Problem
I noticed this when
cargo update
(incompare_dependency_graphs
) kept notifying me of spurious changes when referring to a branch name with a'+'
character. Due to poor serialisation, deserializing a branch name from Cargo.lock gives a branch that doesn't match the one in Cargo.toml.It's also possible to give a branch name that will spill into the 'precise' commit hash when deserializing.
Steps
No response
Possible Solution(s)
Will send a PR that fixes serialization to use the expected encoding, which is unambiguous.
Notes
No response
Version
The text was updated successfully, but these errors were encountered: