Cargo: Relative paths in Cargo.toml readme
I've found an odd case:
- The
readmepath is relative pointing to a parent directory:../README.md, - there is no
README.mdin the.cratefile, - and yet, miraculously, crates.io shows a readme: https://crates.io/crates/juniper/0.9.2
It seems the readme was snatched when the crate was published, with whatever filesystem access was temporarily possible at time of publishing. Unfortunately, it means it's not possible to get the README later from the package.
Could Cargo require the README to be in the package?
kornelski
All 6 comments
What should be done for this case? It's just a bit of an odd one.
dwijnand
on 19 Dec 2018
A simple client-side fix to Cargo would be:
- When publishing, validate the
readmepath and check that it doesn't escape crate's root (root.join(readme).strip_prefix(root).is_some()perhaps?) - Check that the path is included in the package. If the crate uses
includekey, perhaps add it there, or warn if it's excluded.
Or rendering of README's could be moved to server-side. The server would read them from the actual package, so that authors would be visible when the package is incomplete.
kornelski
on 19 Dec 2018
Yeah, there's a few different ways cargo could be more consistent, the whole spectrum from hard erroring, to warning, to accommodating. I'm just not sure what we prefer. 馃檪
dwijnand
on 19 Dec 2018
Mildly related, on publishing and README checking: #4861
dwijnand
on 20 Dec 2018
In #6607 @ehuss suggests this fix:
copy the README somewhere into the package and rewrite the path in Cargo.toml
dwijnand
on 28 Jan 2019
I have just run into this issue. I think that it would be great if cargo could deal with it copying files outside of the crate directory, but in the meantime it would be nice to have a warning (personally I would prefer an error).
stanislav-tkach
on 10 May 2020
Related issues
disconsented
路
3Comments
tensorchen
路
3Comments
skletsun
路
3Comments
rodoufu
路
3Comments
nox
路
3Comments
Most helpful comment
In #6607 @ehuss suggests this fix: