Skip to content

filesystem.cpp: __std_fs_change_permissions() and __std_fs_get_temp_path() should avoid TOCTOU #5970

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
AZero13 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

filesystem.cpp: __std_fs_change_permissions() and __std_fs_get_temp_path() should avoid TOCTOU #5970

AZero13 wants to merge 1 commit into from
+28 −39

Conversation

@AZero13
Copy link
Contributor

@AZero13 AZero13 commented Dec 20, 2025

Also GetFileAttributesW is redundant. We don't need it.

@AZero13 AZero13 requested a review from a team as a code owner December 20, 2025 05:54
@github-project-automation github-project-automation bot moved this to Initial Review in STL Code Reviews Dec 20, 2025
@AZero13 AZero13 force-pushed the obscur branch 3 times, most recently from 15385c4 to b91422a Compare December 20, 2025 06:24
@AZero13
Avoid TOCTOU by opening and then modifying the file
2faaebb 
Also GetFileAttributesW is redundant. We don't need it.
@StephanTLavavej StephanTLavavej added enhancement Something can be improved filesystem C++17 filesystem labels Dec 31, 2025
@StephanTLavavej StephanTLavavej changed the title Avoid TOCTOU by opening and then modifying the file filesystem.cpp: __std_fs_change_permissions() and __std_fs_get_temp_path() should avoid TOCTOU Dec 31, 2025
@StephanTLavavej
Copy link
Member

StephanTLavavej commented Dec 31, 2025

Can you please provide a more detailed explanation of the transformations you're making here? I'd like to believe that this is all behavior-preserving (except for avoiding the time-of-check / time-of-use issues), but with nontrivial transformations this can be hard to see. For example, I observe that __std_fs_get_temp_path() was doing something with reparse points. I think it was just trying to verify that if a directory is a reparse point, it can be opened, which is superseded by directly trying to open the temp directory, but an actual explanation from the author of the PR would help avoid problems during review (e.g. where your intent is X and bogus, I look at the code and think your intent was Y and fine, but if I knew the intent was X then I would realize it was bogus). Thanks!

@StephanTLavavej StephanTLavavej moved this from Initial Review to Work In Progress in STL Code Reviews Jan 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement Something can be improved filesystem C++17 filesystem

Projects

STL Code Reviews
Status: Work In Progress

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AZero13 @StephanTLavavej