BurntSushi
commented
2 years ago No. And I don't see any security vulnerability here. A list of directory entries simply is not a list of file handles in any major operating system.
Closed nongiach closed 2 years ago
BurntSushi
commented
2 years ago No. And I don't see any security vulnerability here. A list of directory entries simply is not a list of file handles in any major operating system.
Hello team,
I hope you well!
Is there a way to open the walked files entries and avoid TOCTOU race condition security vulnerability? Ideally DirEntry should have a method that returns a fs::File. Without this method all people application using a walkdir->open pattern are vulnerable to TOCTOU attacks. Meaning that an attacker can change the file (content, permissions, or attributes) between the walk and the open action which is a common attack vector.
https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use
Have a nice day. @chaignc