From ca9aa3dae88f58576169c10e4b1ed925b9e07725 Mon Sep 17 00:00:00 2001
From: boxdot <d@zerovolt.org>
Date: Mon, 28 May 2018 12:06:03 +0200
Subject: [PATCH] Verify that src dir was not modified by build.rs during
 publish.

Co-authored-by: Gabriel Feron <feron.gabriel@gmail.com>
---
 src/cargo/ops/cargo_package.rs | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/cargo/ops/cargo_package.rs b/src/cargo/ops/cargo_package.rs
index f9de82868..037d53ba9 100644
--- a/src/cargo/ops/cargo_package.rs
+++ b/src/cargo/ops/cargo_package.rs
@@ -330,6 +330,7 @@ fn run_verify(ws: &Workspace, tar: &FileLock, opts: &PackageOpts) -> CargoResult
     let id = SourceId::for_path(&dst)?;
     let mut src = PathSource::new(&dst, &id, ws.config());
     let new_pkg = src.root_package()?;
+    let pkg_fingerprint = src.fingerprint(&new_pkg)?;
     let ws = Workspace::ephemeral(new_pkg, config, None, true)?;
 
     ops::compile_ws(
@@ -352,6 +353,15 @@ fn run_verify(ws: &Workspace, tar: &FileLock, opts: &PackageOpts) -> CargoResult
         Arc::new(DefaultExecutor),
     )?;
 
+    // Check that build.rs didn't modify any files in the src directory.
+    let ws_fingerprint = src.fingerprint(ws.current()?)?;
+    if pkg_fingerprint != ws_fingerprint {
+        bail!(
+            "Source directory was modified by build.rs during cargo publish. \
+             Build scripts should not modify anything outside of OUT_DIR."
+        )
+    }
+
     Ok(())
 }
 
-- 
2.30.2