os: RemoveAll susceptible to symlink race #52745
Comments
rolandshoemaker
added
OS-Windows
NeedsFix
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Both the
at(systems that implementopenat,unlinkatetc) and thenoatimplementations ofos.RemoveAllare susceptible to a TOCTOU symlink race, where a directory can be replaced with a symlink between being stat'd and open'd. This can be used to 'trick' the program into deleting things it does not expect to delete. This is a minor security issue, but has relatively limited impact because it requires a multi-user system where an attacker is able to create symlinks, a program which will callos.RemoveAllon an attacker writable tree.This is due to
O_NOFOLLOWnot being passed toopenat/openon Unix systems, andFILE_FLAG_OPEN_REPARSE_POINTnot being passed toCreateFileWon Windows. On Unix systems the fix is extremely simple, but on Windows it requires some changes to the Windows syscalls, since the flags passed toCreateFileWare fixed and cannot be altered by the caller currently.The text was updated successfully, but these errors were encountered: