Separate VCS command paths with "--" #10483
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When building a VCS command, there may be ambiguity if a relative path looks like an option, like "-path" or "--path". All of the VCS commands that we use support a bare "--" separator for non-option arguments, which is good practice to apply here. This does not affect the cargo CLI, as it already makes sure to use absolute paths for these calls via `value_of_path()`.
|
r? @ehuss (rust-highfive has picked a reviewer for you, use r? to override) |
rust-highfive
added
the
S-waiting-on-review
|
This was raised with the Security Response WG as a vector for command injection, particularly with hg |
|
This looks Ok to me, we can revert if I missed something. |
|
📌 Commit 58508e2 has been approved by |
bors
added
S-waiting-on-bors
|
☀️ Test successful - checks-actions |
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Mar 19, 2022
Update cargo 9 commits in 65c82664263feddc5fe2d424be0993c28d46377a..109bfbd055325ef87a6e7f63d67da7e838f8300b 2022-03-09 02:32:56 +0000 to 2022-03-17 21:43:09 +0000 - Refactor RegistryData::load to handle management of the index cache (rust-lang/cargo#10482) - Separate VCS command paths with "--" (rust-lang/cargo#10483) - Fix panic when artifact target is used for `[target.'cfg(<target>)'.dependencies` (rust-lang/cargo#10433) - Bump git2@0.14.2 and libgit2-sys@0.13.2 (rust-lang/cargo#10479) - vendor: Don't allow multiple values for --sync (rust-lang/cargo#10448) - Use types to make clere (credential process || token) (rust-lang/cargo#10471) - Warning on conflicting keys (rust-lang/cargo#10316) - Registry functions return Poll to enable parallel fetching of index data (rust-lang/cargo#10064) - Refine the contributor guide (rust-lang/cargo#10468)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When building a VCS command, there may be ambiguity if a relative path
looks like an option, like "-path" or "--path". All of the VCS commands
that we use support a bare "--" separator for non-option arguments,
which is good practice to apply here.
This does not affect the cargo CLI, as it already makes sure to use
absolute paths for these calls via
value_of_path().