diff options
| author | Steve Klabnik <steve@steveklabnik.com> | 2016-05-09 19:45:12 -0400 |
|---|---|---|
| committer | Steve Klabnik <steve@steveklabnik.com> | 2016-05-09 19:45:12 -0400 |
| commit | 8478d48dad949b3b1374569a5391089a49094eeb (patch) | |
| tree | c357a9c629255f0d30ca58cf40f1a6002ce18a0e /src/libstd | |
| parent | 0e7cb8bc31413c9ea08c67c4d66318a7e9cbfb66 (diff) | |
| download | rust-8478d48dad949b3b1374569a5391089a49094eeb.tar.gz rust-8478d48dad949b3b1374569a5391089a49094eeb.zip | |
Add some warnings to std::env::current_exe
/cc #21889
Diffstat (limited to 'src/libstd')
| -rw-r--r-- | src/libstd/env.rs | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/src/libstd/env.rs b/src/libstd/env.rs index 9dc6a26cdee..369594e2b8f 100644 --- a/src/libstd/env.rs +++ b/src/libstd/env.rs @@ -493,6 +493,21 @@ pub fn temp_dir() -> PathBuf { /// that can fail for a good number of reasons. Some errors can include, but not /// be limited to, filesystem operations failing or general syscall failures. /// +/// # Security +/// +/// This function should be used with care, as its incorrect usage can cause +/// security problems. Specifically, as with many operations invovling files and +/// paths, you can introduce a race condition. It goes like this: +/// +/// 1. You get the path to the current executable using `current_exe()`, and +/// store it in a variable binding. +/// 2. Time passes. A malicious actor removes the current executable, and +/// replaces it with a malicious one. +/// 3. You then use the binding to try to open that file. +/// +/// You expected to be opening the current executable, but you're now opening +/// something completely different. +/// /// # Examples /// /// ``` |
