Skip to content

Commit 3c4784c

Browse files
rbtcollinsrbtcollins
committed
Bump remove_dir_all
While this fixes a TOCTOU bug in the dependency, rustup is run either as an unprivileged process, or as a privileged process operating on a file tree that the privileged user owns; it is not a setuid binary and that mitigates much of the vulnerability: a deliberately misconfigured sudoers or similar would be required. Thus this hardens rustup against misconfiguration, but does not close an active vulnerability in how rustup is designed to be used.
1 parent 52c6c91 commit 3c4784c

File tree

2 files changed

+131
-41
lines changed

2 files changed

+131
-41
lines changed

Cargo.lock

Lines changed: 130 additions & 40 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,7 @@ openssl = {version = "0.10", optional = true}
4747
pulldown-cmark = {version = "0.9", default-features = false}
4848
rand = "0.8"
4949
regex = "1"
50-
remove_dir_all = "0.7.0"
50+
remove_dir_all = {version= "0.8.1", features=["parallel"]}
5151
same-file = "1"
5252
scopeguard = "1"
5353
semver = "1.0"

0 commit comments

Comments
 (0)