You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@harmony.apache.org by Mark Hindess <ma...@googlemail.com> on 2007/09/21 12:41:06 UTC

Re: [classlib] File.createNewFile(...)

On 21 September 2007 at 9:27, Tim Ellison <t....@gmail.com> wrote:
> Mark Hindess wrote:
> > The security section of the excellent Linux Weekly News (http://lwn.net)
> > this week has an article about "Exploiting symlinks and tmpfiles".
> > After reading it, I thought I'd take a look at the Harmony natives.  I
> > am beginning to wish I hadn't ...
> 
> Well I'm glad that you did :-)
>
> <big snip/>

;-)
 
> > I have a patch for the unix now and I don't think it is as complicated
> > on windows but I'm just getting someone to check the patch before
> > committing it.
> 
> After reading through your exploits it seems (a) surprising about the
> apparent inconsistency in the OS APIs, and (b) right to fix the current
> harmony behavior to avoid miscreant's taking advantage of it.

Fixed in r578050.  There was a minor complication on windows but Paulex
resolved that[0].

It also means we avoid doing a stat on every file open on unix now which
can't be a bad thing.  (We still do it on read only open calls though
since that can't be avoided without causing incorrect behaviour.)

Regards,
 Mark.

[0] I had HyOpenCreate and HyOpenCreateNew in the flags but these are
    supposed to be mutually exclusive.  On unix it did what I meant but
    due to ordering differences it didn't on windows.