From 503e74e96958045025448f90c8da4c7bd1484be9 Mon Sep 17 00:00:00 2001 From: Paul Dicker Date: Wed, 6 Feb 2019 14:17:22 +0100 Subject: [PATCH 1/2] Fix SECURITY_SQOS_PRESENT missing if security_qos_flags(SECURITY_ANONYMOUS) is set --- src/libstd/sys/windows/fs.rs | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/libstd/sys/windows/fs.rs b/src/libstd/sys/windows/fs.rs index 533b8ae9ba2c0..e1f815a525c98 100644 --- a/src/libstd/sys/windows/fs.rs +++ b/src/libstd/sys/windows/fs.rs @@ -191,7 +191,11 @@ impl OpenOptions { pub fn access_mode(&mut self, access_mode: u32) { self.access_mode = Some(access_mode); } pub fn share_mode(&mut self, share_mode: u32) { self.share_mode = share_mode; } pub fn attributes(&mut self, attrs: u32) { self.attributes = attrs; } - pub fn security_qos_flags(&mut self, flags: u32) { self.security_qos_flags = flags; } + pub fn security_qos_flags(&mut self, flags: u32) { + // We have to set `SECURITY_SQOS_PRESENT` here, because one of the valid flags we can + // receive is `SECURITY_ANONYMOUS = 0x0`, which we can't check for later on. + self.security_qos_flags = flags | c::SECURITY_SQOS_PRESENT; + } pub fn security_attributes(&mut self, attrs: c::LPSECURITY_ATTRIBUTES) { self.security_attributes = attrs as usize; } @@ -239,7 +243,6 @@ impl OpenOptions { self.custom_flags | self.attributes | self.security_qos_flags | - if self.security_qos_flags != 0 { c::SECURITY_SQOS_PRESENT } else { 0 } | if self.create_new { c::FILE_FLAG_OPEN_REPARSE_POINT } else { 0 } } } From 089524c31ac8098965f9ed69d89a5de127b4bbbb Mon Sep 17 00:00:00 2001 From: Paul Dicker Date: Wed, 6 Feb 2019 14:20:27 +0100 Subject: [PATCH 2/2] Correct OpenOptions::security_qos_flags documentation --- src/libstd/sys/windows/ext/fs.rs | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/src/libstd/sys/windows/ext/fs.rs b/src/libstd/sys/windows/ext/fs.rs index 89038da6295f2..85967516933a3 100644 --- a/src/libstd/sys/windows/ext/fs.rs +++ b/src/libstd/sys/windows/ext/fs.rs @@ -220,13 +220,27 @@ pub trait OpenOptionsExt { /// the specified value (or combines it with `custom_flags` and `attributes` /// to set the `dwFlagsAndAttributes` for [`CreateFile`]). /// - /// By default, `security_qos_flags` is set to `SECURITY_ANONYMOUS`. For - /// information about possible values, see [Impersonation Levels] on the - /// Windows Dev Center site. - /// + /// By default `security_qos_flags` is not set. It should be specified when + /// opening a named pipe, to control to which degree a server process can + /// act on behalf of a client process (security impersonation level). + /// + /// When `security_qos_flags` is not set a malicious program can gain the + /// elevated privileges of a privileged Rust process when it allows opening + /// user-specified paths, by tricking it into opening a named pipe. So + /// arguably `security_qos_flags` should also be set when opening arbitrary + /// paths. However the bits can then conflict with other flags, specifically + /// `FILE_FLAG_OPEN_NO_RECALL`. + /// + /// For information about possible values, see [Impersonation Levels] on the + /// Windows Dev Center site. The `SECURITY_SQOS_PRESENT` flag is set + /// automatically when using this method. + /// # Examples /// /// ```no_run + /// # #[cfg(for_demonstration_only)] + /// extern crate winapi; + /// # mod winapi { pub const SECURITY_IDENTIFICATION: u32 = 0; } /// use std::fs::OpenOptions; /// use std::os::windows::prelude::*; /// @@ -235,9 +249,9 @@ pub trait OpenOptionsExt { /// .create(true) /// /// // Sets the flag value to `SecurityIdentification`. - /// .security_qos_flags(1) + /// .security_qos_flags(winapi::SECURITY_IDENTIFICATION) /// - /// .open("foo.txt"); + /// .open(r"\\.\pipe\MyPipe"); /// ``` /// /// [`CreateFile`]: https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858.aspx