mirrors/uv
1
0
Fork 0
mirror of https://github.com/astral-sh/uv.git synced 2025-07-07 21:35:00 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix index out of bounds in SourceDistributionFilename::parse (#353)

Browse source 
Found this one in the top 8k pypi tests too
This commit is contained in:
konsti 2023-11-07 12:44:40 +01:00 committed by GitHub
parent f96865edd1
commit c11586f2f0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

19
crates/distribution-filename/src/source_distribution.rs
View file

@ -71,13 +71,17 @@ impl SourceDistributionFilename {
)); ));
}; };
if stem.len() <= package_name.as_ref().len() + "-".len() {
return Err(SourceDistributionFilenameError::InvalidFilename {
filename: filename.to_string(),
package_name: package_name.to_string(),
});
}
let actual_package_name = PackageName::from_str(&stem[..package_name.as_ref().len()]) let actual_package_name = PackageName::from_str(&stem[..package_name.as_ref().len()])
.map_err(|err| { .map_err(|err| {
SourceDistributionFilenameError::InvalidPackageName(filename.to_string(), err) SourceDistributionFilenameError::InvalidPackageName(filename.to_string(), err)
})?; })?;
if stem.len() <= package_name.as_ref().len() + "-".len() if &actual_package_name != package_name {
|| &actual_package_name != package_name
{
return Err(SourceDistributionFilenameError::InvalidFilename { return Err(SourceDistributionFilenameError::InvalidFilename {
filename: filename.to_string(), filename: filename.to_string(),
package_name: package_name.to_string(), package_name: package_name.to_string(),
@ -154,4 +158,13 @@ mod tests {
.is_err()); .is_err());
} }
} }
#[test]
fn name_to_long() {
assert!(SourceDistributionFilename::parse(
"foo.zip",
&PackageName::from_str("foo-lib").unwrap()
)
.is_err());
}
} }