Make sure rustup.sh is safe from truncation errors #19168
Labels
E-easy
Call for participation: Easy difficulty. Experience needed to fix: Not much. Good first issue.
Comments
|
This would theoretically be resolved by putting the whole script into a function that then gets executed at the very end, so nothing happens until that is reached, e.g. f() {
rm -Rf "${TMP_DIR}"
need_ok "failed to remove temporary installation directory"
mkdir -p "${TMP_DIR}"
need_ok "failed to create create temporary installation directory"
...
rm -Rf "${TMP_DIR}"
need_ok "couldn't rm temporary installation directory"
}
f(Tagging as E-easy due to this, I believe the file is available in |
huonw
added
the
E-easy
erickt
added a commit
to erickt/rust
that referenced
this issue
Dec 3, 2014
This closes rust-lang#19168. It's possible that if the downloading of `rustup.sh` is interrupted, bad things could happen, such as running a naked "rm -rf /" instead of "rm -rf /path/to/tmpdir". This wraps rustup.sh's functionality in a function that gets called at the last time that should protect us from these truncation errors.
bors
added a commit
that referenced
this issue
Dec 4, 2014
This closes #19168. Please be careful reviewing this since this gets used all over the place. I've tested all the options and everything appears to be working though.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Someone on hacker news pointed out that bad things could potentially happen if the running of
curl https://static.rust-lang.org/rust.sh | shgets truncated on a bad line. We should audit the code to make sure that can't happen. Maybe we could write the actual rustup.sh and verify it with a checksum before we execute it?The text was updated successfully, but these errors were encountered: