Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SourceId serialization is ambiguous due to lack of escaping #11085

Closed
g2p opened this issue Sep 14, 2022 · 0 comments · Fixed by #12280
Closed

SourceId serialization is ambiguous due to lack of escaping #11085

g2p opened this issue Sep 14, 2022 · 0 comments · Fixed by #12280
Labels
A-lockfile Area: Cargo.lock issues C-bug Category: bug S-needs-design Status: Needs someone to work further on the design for the feature or fix. NOT YET accepted.

Comments

@g2p
Copy link
Contributor

g2p commented Sep 14, 2022
edited
Loading

Problem

I noticed this when cargo update (in compare_dependency_graphs) kept notifying me of spurious changes when referring to a branch name with a '+' character. Due to poor serialisation, deserializing a branch name from Cargo.lock gives a branch that doesn't match the one in Cargo.toml.

It's also possible to give a branch name that will spill into the 'precise' commit hash when deserializing.

Steps

No response

Possible Solution(s)

Will send a PR that fixes serialization to use the expected encoding, which is unambiguous.

Notes

No response

Version

cargo 1.65.0 (bd99c043c 2022-09-09)
release: 1.65.0
commit-hash: bd99c043ceeaa0318f1ce4633f796110ae182002
commit-date: 2022-09-09
host: x86_64-unknown-linux-gnu
libgit2: 1.5.0 (sys:0.15.0 vendored)
libcurl: 7.81.0 (sys:0.4.56+curl-7.83.1 system ssl:NSS/3.68.2)
os: Ubuntu 22.04 (jammy) [64-bit]
@g2p g2p added the C-bug Category: bug label Sep 14, 2022
g2p added a commit to g2p/cargo that referenced this issue Sep 14, 2022
@g2p
SourceId: some git branches aren't properly serialized
fb553d5 
This adds a failing test for rust-lang#11085.

For some branch names (or tags or refs), generate_lockfile will
serialize poorly.  Parsing the Cargo.lock will refer to a branch
that wasn't the intended one in Cargo.toml.

Because a branch name can contain the '#' character, the precise
reference could be overriden through a branch/tag/ref as well.

This is because serialisation is done with a custom Display
implementation that concatenates strings as-is and is unaware
that some characters may need escaping; on the other hand,
deserialization uses url::Url::query_pairs which assumes
<https://url.spec.whatwg.org/#application/x-www-form-urlencoded>.
g2p added a commit to g2p/cargo that referenced this issue Sep 14, 2022
@g2p
SourceId: Fix ambiguous serialization of Git references
4650ae1 
Use x-www-form-urlencoded which is the standard for query strings,
matching what deserialization expects.
https://url.spec.whatwg.org/#application/x-www-form-urlencoded

Fixes rust-lang#11085.
g2p added a commit to g2p/cargo that referenced this issue Sep 14, 2022
@g2p
SourceId: some git branches aren't properly serialized
da2f573 
This adds a failing test for rust-lang#11085.

For some branch names (or tags or refs), generate_lockfile will
serialize poorly.  Parsing the Cargo.lock will refer to a branch
that wasn't the intended one in Cargo.toml.

Because a branch name can contain the '#' character, the precise
reference could be corrupted through a branch/tag/ref as well.

This is because serialisation is done with a custom Display
implementation that concatenates strings as-is and is unaware
that some characters may need escaping; on the other hand,
deserialization uses url::Url::query_pairs which assumes
<https://url.spec.whatwg.org/#application/x-www-form-urlencoded>.
g2p added a commit to g2p/cargo that referenced this issue Sep 14, 2022
@g2p
SourceId: Fix ambiguous serialization of Git references
f8d7f5b 
Use x-www-form-urlencoded which is the standard for query strings,
matching what the deserializer expects.
https://url.spec.whatwg.org/#application/x-www-form-urlencoded

Fixes rust-lang#11085.
@g2p g2p mentioned this issue Sep 14, 2022
Closed
g2p added a commit to g2p/cargo that referenced this issue Sep 14, 2022
@g2p
SourceId: some git branches aren't properly serialized
ec3ed33 
This adds a failing test for rust-lang#11085.

For some branch names (or tags or refs), generate_lockfile will
serialize poorly.  Parsing the Cargo.lock will refer to a branch
that wasn't the intended one in Cargo.toml.

Because a branch name can contain the '#' character, the precise
reference could be corrupted through a branch/tag/ref as well.

This is because serialisation is done with a custom Display
implementation that concatenates strings as-is and is unaware
that some characters may need escaping; on the other hand,
deserialization uses url::Url::query_pairs which assumes
<https://url.spec.whatwg.org/#application/x-www-form-urlencoded>.
g2p added a commit to g2p/cargo that referenced this issue Sep 14, 2022
@g2p
SourceId: Fix ambiguous serialization of Git references
9486e76 
Use x-www-form-urlencoded which is the standard for query strings,
matching what the deserializer expects.
https://url.spec.whatwg.org/#application/x-www-form-urlencoded

Fixes rust-lang#11085.
@weihanglo weihanglo added the A-lockfile Area: Cargo.lock issues label Sep 15, 2022
g2p added a commit to g2p/cargo that referenced this issue Sep 15, 2022
@g2p
SourceId: Fix ambiguous serialization of Git references
78c456d 
Use x-www-form-urlencoded which is the standard for query strings,
matching what the deserializer expects.
https://url.spec.whatwg.org/#application/x-www-form-urlencoded

Fixes rust-lang#11085.
g2p added a commit to g2p/cargo that referenced this issue Sep 15, 2022
@g2p
SourceId: some git branches aren't properly serialized
2c7ae3d 
This adds a failing test for rust-lang#11085.

For some branch names (or tags or refs), generate_lockfile will
serialize poorly.  Parsing the Cargo.lock will refer to a branch
that wasn't the intended one in Cargo.toml.

Because a branch name can contain the '#' character, the precise
reference could be corrupted through a branch/tag/ref as well.

This is because serialisation is done with a custom Display
implementation that concatenates strings as-is and is unaware
that some characters may need escaping; on the other hand,
deserialization uses url::Url::query_pairs which assumes
<https://url.spec.whatwg.org/#application/x-www-form-urlencoded>.
g2p added a commit to g2p/cargo that referenced this issue Sep 15, 2022
@g2p
SourceId: Fix ambiguous serialization of Git references
3476441 
Use x-www-form-urlencoded which is the standard for query strings,
matching what the deserializer expects.
https://url.spec.whatwg.org/#application/x-www-form-urlencoded

Fixes rust-lang#11085.
@weihanglo weihanglo mentioned this issue Mar 2, 2023
Closed
@weihanglo weihanglo added the S-needs-design Status: Needs someone to work further on the design for the feature or fix. NOT YET accepted. label Apr 25, 2023
@weihanglo weihanglo mentioned this issue May 10, 2023
Open
@weihanglo weihanglo mentioned this issue Jun 17, 2023
Merged
@weihanglo weihanglo mentioned this issue Aug 21, 2023
Closed
@bruceg bruceg mentioned this issue Aug 21, 2023
Merged
@jszwedko jszwedko mentioned this issue Aug 22, 2023
Closed
@weihanglo weihanglo mentioned this issue Sep 23, 2024
Closed
@epage epage mentioned this issue Nov 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-lockfile Area: Cargo.lock issues C-bug Category: bug S-needs-design Status: Needs someone to work further on the design for the feature or fix. NOT YET accepted.
Projects
None yet
Milestone
No milestone
2 participants
@g2p @weihanglo