diff options
| author | Jacob Pratt <jacob@jhpratt.dev> | 2025-06-01 00:35:54 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-06-01 00:35:54 +0200 |
| commit | 7f306d5729fc11d18a88de6f7503b9c2883e250d (patch) | |
| tree | ca572d81a3b9acd23e634a953c50050aa528e414 | |
| parent | 542dcbf6a20709f40c72b87f42be36325dba0ab3 (diff) | |
| parent | 7f7c415d03e6ec431a65a6f5625026761ab9f913 (diff) | |
| download | rust-7f306d5729fc11d18a88de6f7503b9c2883e250d.tar.gz rust-7f306d5729fc11d18a88de6f7503b9c2883e250d.zip | |
Rollup merge of #141832 - workingjubilee:explain-what-toctou-races-are, r=thomcc,ChrisDenton
library: explain TOCTOU races in `fs::remove_dir_all` In the previous description it said there was a TOCTOU race but did not explain exactly what the problem was. I sat down with the CVE, reviewed its text, and created this explanation. This context should hopefully help people understand the actual risk as-such. Incidentally, it also fixes the capitalization on the name of Redox OS. Original CVE and advisory: - CVE: https://www.cve.org/CVERecord?id=CVE-2022-21658 - security advisory: https://groups.google.com/g/rustlang-security-announcements/c/R1fZFDhnJVQ?pli=1 - github cross-post: https://github.com/rust-lang/rust/security/advisories/GHSA-r9cc-f5pr-p3j2
| -rw-r--r-- | library/std/src/fs.rs | 27 |
1 files changed, 19 insertions, 8 deletions
diff --git a/library/std/src/fs.rs b/library/std/src/fs.rs index 8ed5800e9d0..711efc7d011 100644 --- a/library/std/src/fs.rs +++ b/library/std/src/fs.rs @@ -2915,17 +2915,28 @@ pub fn remove_dir<P: AsRef<Path>>(path: P) -> io::Result<()> { /// /// # Platform-specific behavior /// -/// This function currently corresponds to `openat`, `fdopendir`, `unlinkat` and `lstat` functions -/// on Unix (except for REDOX) and the `CreateFileW`, `GetFileInformationByHandleEx`, -/// `SetFileInformationByHandle`, and `NtCreateFile` functions on Windows. Note that, this -/// [may change in the future][changes]. +/// These implementation details [may change in the future][changes]. +/// +/// - "Unix-like": By default, this function currently corresponds to +/// `openat`, `fdopendir`, `unlinkat` and `lstat` +/// on Unix-family platforms, except where noted otherwise. +/// - "Windows": This function currently corresponds to `CreateFileW`, +/// `GetFileInformationByHandleEx`, `SetFileInformationByHandle`, and `NtCreateFile`. +/// +/// ## Time-of-check to time-of-use (TOCTOU) race conditions +/// On a few platforms there is no way to remove a directory's contents without following symlinks +/// unless you perform a check and then operate on paths based on that directory. +/// This allows concurrently-running code to replace the directory with a symlink after the check, +/// causing a removal to instead operate on a path based on the symlink. This is a TOCTOU race. +/// By default, `fs::remove_dir_all` protects against a symlink TOCTOU race on all platforms +/// except the following. It should not be used in security-sensitive contexts on these platforms: +/// - Miri: Even when emulating targets where the underlying implementation will protect against +/// TOCTOU races, Miri will not do so. +/// - Redox OS: This function does not protect against TOCTOU races, as Redox does not implement +/// the required platform support to do so. /// /// [changes]: io#platform-specific-behavior /// -/// On REDOX, as well as when running in Miri for any target, this function is not protected against -/// time-of-check to time-of-use (TOCTOU) race conditions, and should not be used in -/// security-sensitive code on those platforms. All other platforms are protected. -/// /// # Errors /// /// See [`fs::remove_file`] and [`fs::remove_dir`]. |