diff options
| -rw-r--r-- | library/std/src/env.rs | 47 |
1 files changed, 17 insertions, 30 deletions
diff --git a/library/std/src/env.rs b/library/std/src/env.rs index f03d298d869..e287a93da7b 100644 --- a/library/std/src/env.rs +++ b/library/std/src/env.rs @@ -644,36 +644,23 @@ pub fn temp_dir() -> PathBuf { /// /// # Security /// -/// The output of this function should not be used in anything that might have -/// security implications. For example: -/// -/// ``` -/// fn main() { -/// println!("{:?}", std::env::current_exe()); -/// } -/// ``` -/// -/// On Linux systems, if this is compiled as `foo`: -/// -/// ```bash -/// $ rustc foo.rs -/// $ ./foo -/// Ok("/home/alex/foo") -/// ``` -/// -/// And you make a hard link of the program: -/// -/// ```bash -/// $ ln foo bar -/// ``` -/// -/// When you run it, you won’t get the path of the original executable, you’ll -/// get the path of the hard link: -/// -/// ```bash -/// $ ./bar -/// Ok("/home/alex/bar") -/// ``` +/// The output of this function should not be trusted for anything +/// that might have security implications. Basically, if users can run +/// the executable, they can change the output arbitrarily. +/// +/// As an example, you can easily introduce a race condition. It goes +/// like this: +/// +/// 1. You get the path to the current executable using `current_exe()`, and +/// store it in a variable. +/// 2. Time passes. A malicious actor removes the current executable, and +/// replaces it with a malicious one. +/// 3. You then use the stored path to re-execute the current +/// executable. +/// +/// You expected to safely execute the current executable, but you're +/// instead executing something completely different. The code you +/// just executed run with your privileges. /// /// This sort of behavior has been known to [lead to privilege escalation] when /// used incorrectly. |