From bdbc8da5b4286207f653277be998c943399d64c0 Mon Sep 17 00:00:00 2001
From: Eric Huss <eric@huss.org>
Date: Fri, 4 Dec 2020 14:09:06 -0800
Subject: [PATCH] Validate that the credential process only outputs a single
 line (token).

---
 src/cargo/ops/registry/auth.rs        |  7 +++++
 tests/testsuite/credential_process.rs | 42 +++++++++++++++++++++++++++
 2 files changed, 49 insertions(+)

diff --git a/src/cargo/ops/registry/auth.rs b/src/cargo/ops/registry/auth.rs
index 5ab4ece5f..660daa40d 100644
--- a/src/cargo/ops/registry/auth.rs
+++ b/src/cargo/ops/registry/auth.rs
@@ -164,6 +164,13 @@ fn run_command(
                     )
                 })?;
             if let Some(end) = buffer.find('\n') {
+                if buffer.len() > end + 1 {
+                    bail!(
+                        "credential process `{}` returned more than one line of output; \
+                         expected a single token",
+                        exe.display()
+                    );
+                }
                 buffer.truncate(end);
             }
             token = Some(buffer);
diff --git a/tests/testsuite/credential_process.rs b/tests/testsuite/credential_process.rs
index 41d9d5e5b..f367b6b41 100644
--- a/tests/testsuite/credential_process.rs
+++ b/tests/testsuite/credential_process.rs
@@ -448,3 +448,45 @@ Caused by:
         )
         .run();
 }
+
+#[cargo_test]
+fn invalid_token_output() {
+    // Error when credential process does not output the expected format for a token.
+    registry::init();
+    paths::home().join(".cargo/credentials").rm_rf();
+    let cred_proj = project()
+        .at("cred_proj")
+        .file("Cargo.toml", &basic_manifest("test-cred", "1.0.0"))
+        .file("src/main.rs", r#"fn main() { print!("a\nb\n"); } "#)
+        .build();
+    cred_proj.cargo("build").run();
+
+    cargo::util::paths::append(
+        &paths::home().join(".cargo/config"),
+        format!(
+            r#"
+                [registry]
+                credential-process = ["{}"]
+            "#,
+            toml_bin(&cred_proj, "test-cred")
+        )
+        .as_bytes(),
+    )
+    .unwrap();
+
+    let p = project()
+        .file("Cargo.toml", &basic_manifest("foo", "1.0.0"))
+        .file("src/lib.rs", "")
+        .build();
+
+    p.cargo("publish --no-verify --registry alternative -Z credential-process")
+        .masquerade_as_nightly_cargo()
+        .with_status(101)
+        .with_stderr(
+            "\
+[UPDATING] [..]
+[ERROR] credential process `[..]test-cred[EXE]` returned more than one line of output; expected a single token
+",
+        )
+        .run();
+}