mirror of
https://github.com/rust-lang/cargo
synced 2024-10-05 23:39:47 +00:00
Auto merge of #11004 - jonhoo:bump-git2, r=weihanglo
Bump git2 to 0.15 and libgit2-sys to 0.14 This will allow cargo to avoid vendored builds of git2 in up-to-date environments going forward, and brings in the [libgit2 1.4.4 CVE fix]. [libgit2 1.4.4 CVE fix]: https://github.com/libgit2/libgit2/releases/tag/v1.4.4
This commit is contained in:
commit
e5ec3a8ff9
|
@ -28,8 +28,8 @@ pretty_env_logger = { version = "0.4", optional = true }
|
|||
anyhow = "1.0"
|
||||
filetime = "0.2.9"
|
||||
flate2 = { version = "1.0.3", default-features = false, features = ["zlib"] }
|
||||
git2 = "0.14.2"
|
||||
git2-curl = "0.15.0"
|
||||
git2 = "0.15.0"
|
||||
git2-curl = "0.16.0"
|
||||
glob = "0.3.0"
|
||||
hex = "0.4"
|
||||
home = "0.5"
|
||||
|
@ -41,7 +41,7 @@ jobserver = "0.1.24"
|
|||
lazycell = "1.2.0"
|
||||
libc = "0.2"
|
||||
log = "0.4.6"
|
||||
libgit2-sys = "0.13.2"
|
||||
libgit2-sys = "0.14.0"
|
||||
memchr = "2.1.3"
|
||||
opener = "0.5"
|
||||
os_info = "3.5.0"
|
||||
|
|
|
@ -14,7 +14,7 @@ cargo-util = { path = "../cargo-util" }
|
|||
snapbox = { version = "0.3.0", features = ["diff", "path"] }
|
||||
filetime = "0.2"
|
||||
flate2 = { version = "1.0", default-features = false, features = ["zlib"] }
|
||||
git2 = "0.14.2"
|
||||
git2 = "0.15.0"
|
||||
glob = "0.3"
|
||||
itertools = "0.10.0"
|
||||
lazy_static = "1.0"
|
||||
|
|
|
@ -255,4 +255,27 @@ fn init_git_transports(config: &Config) {
|
|||
unsafe {
|
||||
git2_curl::register(handle);
|
||||
}
|
||||
|
||||
// Disabling the owner validation in git can, in theory, lead to code execution
|
||||
// vulnerabilities. However, libgit2 does not launch executables, which is the foundation of
|
||||
// the original security issue. Meanwhile, issues with refusing to load git repos in
|
||||
// `CARGO_HOME` for example will likely be very frustrating for users. So, we disable the
|
||||
// validation.
|
||||
//
|
||||
// For further discussion of Cargo's current interactions with git, see
|
||||
//
|
||||
// https://github.com/rust-lang/rfcs/pull/3279
|
||||
//
|
||||
// and in particular the subsection on "Git support".
|
||||
//
|
||||
// Note that we only disable this when Cargo is run as a binary. If Cargo is used as a library,
|
||||
// this code won't be invoked. Instead, developers will need to explicitly disable the
|
||||
// validation in their code. This is inconvenient, but won't accidentally open consuming
|
||||
// applications up to security issues if they use git2 to open repositories elsewhere in their
|
||||
// code.
|
||||
unsafe {
|
||||
if git2::opts::set_verify_owner_validation(false).is_err() {
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue