From: boxdot <d@zerovolt.org>
Date: Mon, 28 May 2018 10:06:03 +0000 (+0200)
Subject: Verify that src dir was not modified by build.rs during publish.
X-Git-Tag: archive/raspbian/0.35.0-2+rpi1~3^2^2^2^2^2^2^2~22^2^2~14^2~7
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=ca9aa3dae88f58576169c10e4b1ed925b9e07725;p=cargo.git

Verify that src dir was not modified by build.rs during publish.

Co-authored-by: Gabriel Feron <feron.gabriel@gmail.com>
---

diff --git a/src/cargo/ops/cargo_package.rs b/src/cargo/ops/cargo_package.rs
index f9de82868..037d53ba9 100644
--- a/src/cargo/ops/cargo_package.rs
+++ b/src/cargo/ops/cargo_package.rs
@@ -330,6 +330,7 @@ fn run_verify(ws: &Workspace, tar: &FileLock, opts: &PackageOpts) -> CargoResult
     let id = SourceId::for_path(&dst)?;
     let mut src = PathSource::new(&dst, &id, ws.config());
     let new_pkg = src.root_package()?;
+    let pkg_fingerprint = src.fingerprint(&new_pkg)?;
     let ws = Workspace::ephemeral(new_pkg, config, None, true)?;
 
     ops::compile_ws(
@@ -352,6 +353,15 @@ fn run_verify(ws: &Workspace, tar: &FileLock, opts: &PackageOpts) -> CargoResult
         Arc::new(DefaultExecutor),
     )?;
 
+    // Check that build.rs didn't modify any files in the src directory.
+    let ws_fingerprint = src.fingerprint(ws.current()?)?;
+    if pkg_fingerprint != ws_fingerprint {
+        bail!(
+            "Source directory was modified by build.rs during cargo publish. \
+             Build scripts should not modify anything outside of OUT_DIR."
+        )
+    }
+
     Ok(())
 }