From: Steven Fackler <sfackler@palantir.com>
Date: Wed, 24 Jan 2018 20:54:17 +0000 (-0800)
Subject: Forbid credentials from registry URLs
X-Git-Tag: archive/raspbian/0.35.0-2+rpi1~3^2^2^2^2^2^2^2~22^2~3^2~23^2
X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/success//%22http:/www.example.com/cgi/success/?a=commitdiff_plain;h=77ccd0e31c824901917086c066987b2e57b1e7dc;p=cargo.git

Forbid credentials from registry URLs
---

diff --git a/src/cargo/util/config.rs b/src/cargo/util/config.rs
index 925beae4f..715180ffa 100644
--- a/src/cargo/util/config.rs
+++ b/src/cargo/util/config.rs
@@ -552,7 +552,13 @@ impl Config {
     /// Gets the index for a registry.
     pub fn get_registry_index(&self, registry: &str) -> CargoResult<Url> {
         Ok(match self.get_string(&format!("registries.{}.index", registry))? {
-            Some(index) => index.val.to_url()?,
+            Some(index) => {
+                let url = index.val.to_url()?;
+                if url.username() != "" || url.password().is_some() {
+                    bail!("Registry URLs may not contain credentials");
+                }
+                url
+            }
             None => bail!("No index found for registry: `{}`", registry),
         })
     }
diff --git a/tests/alt-registry.rs b/tests/alt-registry.rs
index c73de4e0c..7d3f91155 100644
--- a/tests/alt-registry.rs
+++ b/tests/alt-registry.rs
@@ -3,8 +3,10 @@ extern crate hamcrest;
 
 use cargotest::ChannelChanger;
 use cargotest::support::registry::{self, Package, alt_api_path};
-use cargotest::support::{project, execs};
+use cargotest::support::{paths, project, execs};
 use hamcrest::assert_that;
+use std::fs::File;
+use std::io::Write;
 
 #[test]
 fn is_feature_gated() {
@@ -423,3 +425,35 @@ fn publish_with_crates_io_dep() {
                  .arg("--registry").arg("alternative").arg("-Zunstable-options"),
                 execs().with_status(0));
 }
+
+#[test]
+fn credentials_in_url_forbidden() {
+    registry::init();
+
+    let config = paths::home().join(".cargo/config");
+
+    File::create(config)
+        .unwrap()
+        .write_all(br#"
+        [registries.alternative]
+        index = "ssh://git:secret@foobar.com"
+        "#)
+        .unwrap();
+
+    let p = project("foo")
+        .file("Cargo.toml", r#"
+            cargo-features = ["alternative-registries"]
+
+            [project]
+            name = "foo"
+            version = "0.0.1"
+            authors = []
+        "#)
+        .file("src/main.rs", "fn main() {}")
+        .build();
+
+    assert_that(p.cargo("publish").masquerade_as_nightly_cargo()
+                 .arg("--registry").arg("alternative").arg("-Zunstable-options"),
+                execs().with_status(101)
+                    .with_stderr_contains("error: Registry URLs may not contain credentials"));
+}