nordic-dev.net/rust
nordic-dev.net/rust
2
0
Fork 0
mirror of https://github.com/rust-lang/rust.git synced 2024-11-27 01:04:03 +00:00
Code Issues Packages Projects Releases Wiki Activity
Empowering everyone to build reliable and efficient software.
244,717 Commits 7 Branches 139 Tags 1.9 GiB
Rust 96.1%
RenderScript 0.7%
JavaScript 0.6%
Shell 0.6%
Fluent 0.4%
Other 1.4%
b60707e174
Go to file
Guillaume Gomez b60707e174
Rollup merge of #120250 - chadnorvell:rustdoc-xss, r=notriddle 
rustdoc: Prevent JS injection from localStorage

It turns out that you can execute arbitrary JavaScript on the rustdocs settings page. Here's how:

1. Open `settings.html` on a rustdocs site.
2. Set "preferred light theme" to "dark" to initialize the corresponding localStorage value.
3. Plant a payload by executing this in your browser's dev console: ``Object.keys(localStorage).forEach(key=>localStorage.setItem(key,`javascript:alert()//*/javascript:javascript:"/*'/*\`/*--></noscript></title></textarea></style></template></noembed></script><html " onmouseover=/*&lt;svg/*/onload=alert()onload=alert()//><svg onload=alert()><svg onload=alert()>*/</style><script>alert()</script><style>`));``
4. Refresh the page -- you should see an alert.

This could be particularly dangerous if rustdocs are deployed on a domain hosting some other application. Malicious code could circumvent `same-origin` policies and do mischievous things with user data.

This change ensures that only defined themes can actually be selected (arbitrary strings from localStorage will not be written to the document), and for good measure sanitizes the theme name.
2024-01-30 11:19:13 +01:00
.github Update actions/checkout and actions/cache 2024-01-26 11:06:55 +00:00
.reuse Rollup merge of #119189 - henrispriet:move-installing-from-source, r=Mark-Simulacrum 2024-01-13 22:35:08 +01:00
compiler Auto merge of #119744 - lcnr:assemble-only-rigid, r=compiler-errors 2024-01-30 07:11:24 +00:00
library Rollup merge of #119991 - kornelski:endless-read, r=the8472 2024-01-30 11:19:12 +01:00
LICENSES Add missing CC-BY-SA-4.0. 2023-11-27 11:03:53 +00:00
src Rollup merge of #120250 - chadnorvell:rustdoc-xss, r=notriddle 2024-01-30 11:19:13 +01:00
tests Auto merge of #119744 - lcnr:assemble-only-rigid, r=compiler-errors 2024-01-30 07:11:24 +00:00
.editorconfig Only use max_line_length = 100 for *.rs 2023-07-10 15:18:36 -07:00
.git-blame-ignore-revs Ignore let-chains formatting 2023-10-15 18:30:34 +00:00
.gitattributes Rename config.toml.example to config.example.toml 2023-03-11 14:10:00 -08:00
.gitignore don't globally ignore rustc-ice files 2023-09-16 09:44:44 +02:00
.gitmodules Update to LLVM 17.0.6 2023-12-14 09:54:14 +01:00
.mailmap correct my mailmap entry 2024-01-21 20:47:26 -05:00
Cargo.lock Rollup merge of #120420 - lnicola:rm-pattern-analysis-derivative, r=Nilstrieb 2024-01-29 12:56:53 +00:00
Cargo.toml Update to Cranelift 0.104 2024-01-26 11:18:14 +00:00
CODE_OF_CONDUCT.md Remove the code of conduct; instead link https://www.rust-lang.org/conduct.html 2019-10-05 22:55:19 +02:00
config.example.toml add a new optimized_compiler_builtins option 2024-01-07 13:04:40 +03:00
configure Enforce Python 3 as much as possible 2020-04-10 09:09:58 -04:00
CONTRIBUTING.md fix: Update CONTRIBUTING.md recommend -> recommended 2023-11-16 23:57:09 +05:30
COPYRIGHT Update COPYRIGHT file 2022-10-30 10:23:14 -04:00
INSTALL.md Move section "Installing from Source" to seperate file 2024-01-13 17:22:55 +01:00
LICENSE-APACHE Remove appendix from LICENCE-APACHE 2019-12-30 14:25:53 +00:00
LICENSE-MIT LICENSE-MIT: Remove inaccurate (misattributed) copyright notice 2017-07-26 16:51:58 -07:00
README.md Update Readme 2024-01-15 13:57:29 -08:00
RELEASES.md apply last suggestions from code review 2023-12-21 13:26:15 +01:00
rust-bors.toml Add integration for new bors 2023-09-28 10:43:24 +02:00
rustfmt.toml rustfmt.toml: don't ignore just any tests path, only root one 2024-01-11 14:59:59 +03:00
triagebot.toml Rollup merge of #119123 - bjorn3:simd_intrinsics_mentions, r=Nilstrieb 2024-01-30 11:19:12 +01:00
x Make x capable of resolving symlinks 2023-10-14 17:53:33 +03:00
x.ps1 use & instead of start-process in x.ps1 2023-12-09 09:46:16 -05:00
x.py Fix recent python linting errors 2023-08-02 04:40:28 -04:00

README.md

The Rust Programming Language

Rust Community

This is the main source code repository for Rust. It contains the compiler, standard library, and documentation.

Note: this README is for users rather than contributors. If you wish to contribute to the compiler, you should read CONTRIBUTING.md instead.

Table of Contents

Quick Start

Read "Installation" from The Book.

Installing from Source

If you really want to install from source (though this is not recommended), see INSTALL.md.

Getting Help

See https://www.rust-lang.org/community for a list of chat platforms and forums.

Contributing

See CONTRIBUTING.md.

License

Rust is primarily distributed under the terms of both the MIT license and the Apache License (Version 2.0), with portions covered by various BSD-like licenses.

See LICENSE-APACHE, LICENSE-MIT, and COPYRIGHT for details.

Trademark

The Rust Foundation owns and protects the Rust and Cargo trademarks and logos (the "Rust Trademarks").

If you want to use these names or brands, please read the media guide.

Third-party logos may be subject to third-party copyrights and trademarks. See Licenses for details.