Correctly convert an NT path to a Win32 path in read_link

[ChrisDenton]

This can be done by simply changing the \??\ prefix to \\?\.

Currently it strips off the prefix which could lead to the wrong path being returned (e.g. if it's not a drive path or if the path contains trailing spaces, etc).

r? libs

[rustbot]

Hey! It looks like you've submitted a new PR for the library teams!

If this PR contains changes to any rust-lang/rust public library APIs then please comment with @rustbot label +T-libs-api -T-libs to tag it appropriately. If this PR contains changes to any unstable APIs please edit the PR description to add a link to the relevant API Change Proposal or create one if you haven't already. If you're unsure where your change falls no worries, just leave it as is and the reviewer will take a look and make a decision to forward on if necessary.

Examples of T-libs-api changes:

• Stabilizing library features
• Introducing insta-stable changes such as new implementations of existing stable traits on existing stable types
• Introducing new or changing existing unstable library APIs (excluding permanently unstable features / features without a tracking issue)
• Changing public documentation in ways that create new stability guarantees
• Changing observable runtime behavior of library APIs

[m-ou-se]

e.g. if it's not a drive path or if the path contains trailing spaces, etc

Would it make sense to only add the prefix in those cases? Then simple paths like C:\ProgramData will remain unchanged.

[ChrisDenton]

To be clear the absolute path returned from the OS API is like \??\C:\path which is an NT kernel path. This can be trivially and losslessly changed into a win32 verbatim path simply by modifying the prefix to \\?\C:\path. This is similar to how paths returned by canonicalize work. And I think it makes some sense for canonicalize and read_link to work similarly.

We could maybe transform the NT prefix into the non-verbatim win32 equivalent while taking care also to avoid doing so if the transformation might be lossy. But this is more difficult because there are a lot of things to be aware of (like if the filename happens to match DOS device name). Hm, I guess the easiest thing would be to attempt to pass the modified path via path::absolute and see if it changes at all. It's just a bit more complex and an extra API call.

[vthib]

I have stumbled upon this bug recently, which causes some real issues. When a link is made with a UNC target, the read_link implement returns a buggy path.

For example, a mklink /d foo \\server\path command will create a symlink pointing to a network server, and will generate a reparse point with this substitute name: \??\UNC\server\path. However the current implementation of read_link will incorrectly strip the \??\ prefix, and return an invalid path: UNC\server\path.

This can cause issues as this path can actually exist, so the read_link call can point to a completely different file, which I think can be a source for security issues. Also, it makes it impossible for the caller to find out if the path is towards a network server, or whether it is absolute or relative.

I was pondering creating an issue for this, but I found this MR which would solve the issue. Is there anything blocking it?

[m-ou-se]

@bors r+

[bors]

📌 Commit 178f7bb has been approved by m-ou-se

It is now in the queue for this repository.

[Dylan-DPC]

@bors r-

failed in rollup

[ChrisDenton]

Oh, the function this is using changed in another PR. Rebasing...

[Dylan-DPC]

@bors r=m-ou-se

[bors]

📌 Commit 6d0a0836f654f2ffedbbbb0caff34bd17e898b04 has been approved by m-ou-se

It is now in the queue for this repository.

[ChrisDenton]

Sorry, I needed to rustfmt.

@bors r-
@bors r=m-ou-se

[bors]

📌 Commit 109a47f has been approved by m-ou-se

It is now in the queue for this repository.