summary refs log tree commit diff
path: root/src/libstd
diff options
context:
space:
mode:
authorSteve Klabnik <steve@steveklabnik.com>2016-05-09 19:45:12 -0400
committerSteve Klabnik <steve@steveklabnik.com>2016-05-09 19:45:12 -0400
commit8478d48dad949b3b1374569a5391089a49094eeb (patch)
treec357a9c629255f0d30ca58cf40f1a6002ce18a0e /src/libstd
parent0e7cb8bc31413c9ea08c67c4d66318a7e9cbfb66 (diff)
downloadrust-8478d48dad949b3b1374569a5391089a49094eeb.tar.gz
rust-8478d48dad949b3b1374569a5391089a49094eeb.zip
Add some warnings to std::env::current_exe
/cc #21889
Diffstat (limited to 'src/libstd')
-rw-r--r--src/libstd/env.rs15
1 files changed, 15 insertions, 0 deletions
diff --git a/src/libstd/env.rs b/src/libstd/env.rs
index 9dc6a26cdee..369594e2b8f 100644
--- a/src/libstd/env.rs
+++ b/src/libstd/env.rs
@@ -493,6 +493,21 @@ pub fn temp_dir() -> PathBuf {
 /// that can fail for a good number of reasons. Some errors can include, but not
 /// be limited to, filesystem operations failing or general syscall failures.
 ///
+/// # Security
+///
+/// This function should be used with care, as its incorrect usage can cause
+/// security problems. Specifically, as with many operations invovling files and
+/// paths, you can introduce a race condition. It goes like this:
+///
+/// 1. You get the path to the current executable using `current_exe()`, and
+///    store it in a variable binding.
+/// 2. Time passes. A malicious actor removes the current executable, and
+///    replaces it with a malicious one.
+/// 3. You then use the binding to try to open that file.
+///
+/// You expected to be opening the current executable, but you're now opening
+/// something completely different.
+///
 /// # Examples
 ///
 /// ```