1
0
mirror of https://github.com/vlang/v.git synced 2023-08-10 21:13:21 +03:00
v/vlib/os
2022-09-25 22:54:46 +03:00
..
bare
cmdline
filelock
font
notify tests: make error handling the same as the main function (#15825) 2022-09-21 19:45:43 +03:00
args.v
const_nix.c.v os: reduce heap allocations done by os.real_path, os.executable, os.getwd 2022-08-17 17:06:38 +03:00
const_windows.c.v os: reduce heap allocations done by os.real_path, os.executable, os.getwd 2022-08-17 17:06:38 +03:00
const.v
dir_expansions_test.v os: extract dir_expansions_test.v from os_test.v 2022-09-01 13:07:29 +03:00
environment_test.v
environment.c.v os: remove private unix_environ() helper function, it is not needed anymore (#15654) 2022-09-04 13:22:38 +03:00
environment.js.v
fd.c.v
file_test.v tests: omit testsuite_begin/end() optional (#15871) 2022-09-25 10:29:25 +03:00
file.c.v ci: fix compilation on FreeBSD (C.feof is a macro there, that expands to direct field access) 2022-09-24 10:17:32 +00:00
file.js.v
filepath_test.v os: add windows_volume function (#14721) 2022-06-08 21:26:24 +03:00
filepath_windows.v os: correct description of windows_volume function (#14726) 2022-06-09 10:56:58 +03:00
filepath.v os: add windows_volume function (#14721) 2022-06-08 21:26:24 +03:00
find_abs_path_of_executable_test.v tests: make error handling the same as the main function (#15825) 2022-09-21 19:45:43 +03:00
glob_test.v tests: make error handling the same as the main function (#15825) 2022-09-21 19:45:43 +03:00
inode_test.v
inode.c.v
open_uri_default.c.v os: add exo-open to the list of tried launchers in os.open_uri/1 (#14884) 2022-06-29 11:59:25 +03:00
open_uri_windows.c.v
os_android_outside_termux.c.v checker: fix nested struct reference type field initialized check. (fix: #15741) (#15752) 2022-09-15 07:59:31 +03:00
os_darwin.c.v
os_js.js.v os: rewrite os.walk and os.walk_with_context to use iteration, instead of recursion 2022-08-22 17:27:14 +03:00
os_linux.c.v
os_nix.c.v pref,os,sokol,cgen: ease compilation of 2048 with -os wasm32_emscripten (#15820) 2022-09-20 00:17:13 +03:00
os_structs_dirent_default.c.v
os_structs_sigaction_default.c.v
os_structs_stat_default.c.v checker: improve pub struct check (fix #14446) (#14777) 2022-06-19 17:42:22 +03:00
os_structs_stat_linux.c.v checker: improve pub struct check (fix #14446) (#14777) 2022-06-19 17:42:22 +03:00
os_structs_utsname_default.c.v
os_test.v os: fix os.read_file and os.read_bytes for 0 sized /proc/ files on Linux (fix #15852) (#15853) 2022-09-25 22:54:46 +03:00
os_windows.c.v checker: fix nested struct reference type field initialized check. (fix: #15741) (#15752) 2022-09-15 07:59:31 +03:00
os.c.v os: fix os.read_file and os.read_bytes for 0 sized /proc/ files on Linux (fix #15852) (#15853) 2022-09-25 22:54:46 +03:00
os.js.v os: fix find_abs_path_of_executable function (on Windows) (#14835) 2022-06-23 03:36:15 +03:00
os.v os: rewrite os.walk and os.walk_with_context to use iteration, instead of recursion 2022-08-22 17:27:14 +03:00
password_nix.c.v os: add input_password(prompt) and unit tests (#15507) 2022-08-23 18:17:38 +03:00
password_windows.c.v os: add input_password(prompt) and unit tests (#15507) 2022-08-23 18:17:38 +03:00
process_nix.c.v pref,os,sokol,cgen: ease compilation of 2048 with -os wasm32_emscripten (#15820) 2022-09-20 00:17:13 +03:00
process_test.v tests: omit testsuite_begin/end() optional (#15871) 2022-09-25 10:29:25 +03:00
process_windows.c.v checker: fix nested struct reference type field initialized check. (fix: #15741) (#15752) 2022-09-15 07:59:31 +03:00
process.c.v
process.js.v
process.v
README.md os: add a security advisory for potential TOCTOU risks when using os.is_writable, os.is_executable etc (#15222) 2022-07-26 12:02:48 +03:00
signal_test.v builtin: show non zero codes on bubbled error_with_code(msg,code) errors 2022-08-16 18:59:38 +03:00
signal.c.v
signal.js.v
signal.v

Description:

os provides common OS/platform independent functions for accessing command line arguments, reading/writing files, listing folders, handling processes etc.


A few os module functions can lead to the TOCTOU vulnerability if used incorrectly. TOCTOU (Time-of-Check-to-Time-of-Use problem) can occur when a file, folder or similar is checked for certain specifications (e.g. read, write permissions) and a change is made afterwards. In the time between the initial check and the edit, an attacker can then cause damage. The following example shows an attack strategy on the left and an improved variant on the right so that TOCTOU is no longer possible.

Example Hint: os.create() opens a file in write-only mode

Possibility for TOCTOU attack
if os.is_writable("file"){

    // >> time to make a quick attack (e.g. symlink /etc/passwd to >file<) <<

    mut f := os.create('path/to/file') ?
        // <do something with file>
    f.close()
}
TOCTOU not possible
mut f := os.create('path/to/file') or {
    println("file not writable")
}

// >> do someting with file; file is locked <<

f.close()

Proven affected functions
The following functions should be used with care and only when used correctly.

  • os.is_readable()
  • os.is_writable()
  • os.is_executable()
  • os.is_link()