diff options
| author | bors <bors@rust-lang.org> | 2019-03-02 13:16:12 +0000 |
|---|---|---|
| committer | bors <bors@rust-lang.org> | 2019-03-02 13:16:12 +0000 |
| commit | fab272e5ef92b5f0b4f10c1b42c7dbcb5cec0f78 (patch) | |
| tree | 3a77cc67f7730c513d7f43f9ad58ce029639bba7 /src/libstd/sys/windows/ext | |
| parent | 9cfed5da12bf65212eb9a4ae9141c2f39f995381 (diff) | |
| parent | 089524c31ac8098965f9ed69d89a5de127b4bbbb (diff) | |
| download | rust-fab272e5ef92b5f0b4f10c1b42c7dbcb5cec0f78.tar.gz rust-fab272e5ef92b5f0b4f10c1b42c7dbcb5cec0f78.zip | |
Auto merge of #58216 - pitdicker:sqos_flags, r=alexcrichton
Set secure flags when opening a named pipe on Windows Fixes https://github.com/rust-lang/rust/issues/42036, see also the previous attempt in https://github.com/rust-lang/rust/pull/44556. Whether this is correct depends on if it is somehow possible to create a symlink to a named pipe, outside the named pipe filesystem (NPFS). But as far as I can tell that should be impossible. Also fixes that `security_qos_flags(SECURITY_ANONYMOUS)` does not set the `SECURITY_SQOS_PRESENT` flag, and the incorrect documentation about the default value of `security_qos_flags`.
Diffstat (limited to 'src/libstd/sys/windows/ext')
| -rw-r--r-- | src/libstd/sys/windows/ext/fs.rs | 26 |
1 files changed, 20 insertions, 6 deletions
diff --git a/src/libstd/sys/windows/ext/fs.rs b/src/libstd/sys/windows/ext/fs.rs index b6da5950280..268a14ff0aa 100644 --- a/src/libstd/sys/windows/ext/fs.rs +++ b/src/libstd/sys/windows/ext/fs.rs @@ -220,13 +220,27 @@ pub trait OpenOptionsExt { /// the specified value (or combines it with `custom_flags` and `attributes` /// to set the `dwFlagsAndAttributes` for [`CreateFile`]). /// - /// By default, `security_qos_flags` is set to `SECURITY_ANONYMOUS`. For - /// information about possible values, see [Impersonation Levels] on the - /// Windows Dev Center site. - /// + /// By default `security_qos_flags` is not set. It should be specified when + /// opening a named pipe, to control to which degree a server process can + /// act on behalf of a client process (security impersonation level). + /// + /// When `security_qos_flags` is not set a malicious program can gain the + /// elevated privileges of a privileged Rust process when it allows opening + /// user-specified paths, by tricking it into opening a named pipe. So + /// arguably `security_qos_flags` should also be set when opening arbitrary + /// paths. However the bits can then conflict with other flags, specifically + /// `FILE_FLAG_OPEN_NO_RECALL`. + /// + /// For information about possible values, see [Impersonation Levels] on the + /// Windows Dev Center site. The `SECURITY_SQOS_PRESENT` flag is set + /// automatically when using this method. + /// # Examples /// /// ```no_run + /// # #[cfg(for_demonstration_only)] + /// extern crate winapi; + /// # mod winapi { pub const SECURITY_IDENTIFICATION: u32 = 0; } /// use std::fs::OpenOptions; /// use std::os::windows::prelude::*; /// @@ -235,9 +249,9 @@ pub trait OpenOptionsExt { /// .create(true) /// /// // Sets the flag value to `SecurityIdentification`. - /// .security_qos_flags(1) + /// .security_qos_flags(winapi::SECURITY_IDENTIFICATION) /// - /// .open("foo.txt"); + /// .open(r"\\.\pipe\MyPipe"); /// ``` /// /// [`CreateFile`]: https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858.aspx |