From 8478d48dad949b3b1374569a5391089a49094eeb Mon Sep 17 00:00:00 2001 From: Steve Klabnik Date: Mon, 9 May 2016 19:45:12 -0400 Subject: [PATCH 1/2] Add some warnings to std::env::current_exe /cc #21889 --- src/libstd/env.rs | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/libstd/env.rs b/src/libstd/env.rs index 9dc6a26cdeed3..369594e2b8f6a 100644 --- a/src/libstd/env.rs +++ b/src/libstd/env.rs @@ -493,6 +493,21 @@ pub fn temp_dir() -> PathBuf { /// that can fail for a good number of reasons. Some errors can include, but not /// be limited to, filesystem operations failing or general syscall failures. /// +/// # Security +/// +/// This function should be used with care, as its incorrect usage can cause +/// security problems. Specifically, as with many operations invovling files and +/// paths, you can introduce a race condition. It goes like this: +/// +/// 1. You get the path to the current executable using `current_exe()`, and +/// store it in a variable binding. +/// 2. Time passes. A malicious actor removes the current executable, and +/// replaces it with a malicious one. +/// 3. You then use the binding to try to open that file. +/// +/// You expected to be opening the current executable, but you're now opening +/// something completely different. +/// /// # Examples /// /// ``` From c4730daf450bafe51e76d430f94d2c59c814e53c Mon Sep 17 00:00:00 2001 From: Steve Klabnik Date: Tue, 19 Jul 2016 12:32:56 -0400 Subject: [PATCH 2/2] re-work example --- src/libstd/env.rs | 47 +++++++++++++++++++++++++++++++++++------------ 1 file changed, 35 insertions(+), 12 deletions(-) diff --git a/src/libstd/env.rs b/src/libstd/env.rs index 369594e2b8f6a..5a3899eca3f0c 100644 --- a/src/libstd/env.rs +++ b/src/libstd/env.rs @@ -495,18 +495,41 @@ pub fn temp_dir() -> PathBuf { /// /// # Security /// -/// This function should be used with care, as its incorrect usage can cause -/// security problems. Specifically, as with many operations invovling files and -/// paths, you can introduce a race condition. It goes like this: -/// -/// 1. You get the path to the current executable using `current_exe()`, and -/// store it in a variable binding. -/// 2. Time passes. A malicious actor removes the current executable, and -/// replaces it with a malicious one. -/// 3. You then use the binding to try to open that file. -/// -/// You expected to be opening the current executable, but you're now opening -/// something completely different. +/// The output of this function should not be used in anything that might have +/// security implications. For example: +/// +/// ``` +/// fn main() { +/// println!("{:?}", std::env::current_exe()); +/// } +/// ``` +/// +/// On Linux systems, if this is compiled as `foo`: +/// +/// ```bash +/// $ rustc foo.rs +/// $ ./foo +/// Ok("/home/alex/foo") +/// ``` +/// +/// And you make a symbolic link of the program: +/// +/// ```bash +/// $ ln foo bar +/// ``` +/// +/// When you run it, you won't get the original executable, you'll get the +/// symlink: +/// +/// ```bash +/// $ ./bar +/// Ok("/home/alex/bar") +/// ``` +/// +/// This sort of behavior has been known to [lead to privledge escalation] when +/// used incorrectly, for example. +/// +/// [lead to privledge escalation]: http://securityvulns.com/Wdocument183.html /// /// # Examples ///