Comments (5)
If we wanted to extend this proposal to io.FS
, I believe the one addition would be:
package fs
// An OpenFile is a directory file whose entries may be opened with the Open method.
type OpenFile interface {
File
// Open opens the named file in the directory.
//
// When Open returns an error, it should be of type *PathError
// with the Op field set to "openat", the Path field set to name,
// and the Err field describing the problem.
//
// Open should reject attempts to open names that do not
// satisfy ValidPath(name), returning a *PathError with Err set to
// ErrInvalid or ErrNotExist.
Open(name string) (File, error)
}
A more interesting question is os.DirFS
. Currently, DirFS
has two documented limitations: It follows symlinks out of the directory tree, and if the FS root is a relative path then it will be affected by later Chdir
calls.
I don't think we can change DirFS
's symlink-following behavior: It's documented, and it's a behavior that a user could reasonably depend on.
The interaction between DirFS
and Chdir
seems less likely to be something a user would depend on, but it is documented. I'm not sure if we can change it at this point, but perhaps.
Perhaps we should add a version of DirFS
that opens the directory root at creation time (retaining a handle to it even if the current working directory changes or the root is renamed), and refuses to follow symlinks out of the root. I'm not sure if that should be part of this proposal or a separate one.
from go.
is this essentially https://pkg.go.dev/github.com/google/safeopen with Beneath -> In ?
that also has a ReadFile / WriteFile variant which I'd use more then the create version.
from go.
The design of this proposal is influenced by github.com/google/safeopen, but differs in a few areas. (Sorry, I really should have mentioned safeopen as prior art.)
Of the three parts of this proposal:
os.OpenIn
is essentiallysafeopen.OpenBeneath
.File.Open
is a slightly more limited but safer version ofopenat
, and has no equivalent insafeopen
.O_NOFOLLOW_ANY
has no equivalent insafeopen
.
ReadFileIn
and WriteFileIn
seem like a useful and logical extension of this proposal.
from go.
Yes, please. When I was working on safe file operations and it turned out to be hard to do correctly without OS support.
Without O_NOFOLLOW
, you have to slowly check every segment for symlinks before traversing into it. For the naive implementation, how do you protect against TOCTOU bugs? At the moment that you check some path segment and verify that it's not a symlink (or a safe one) and then proceed to descend into it, some other process (or goroutine) could have asynchronously changed the target.
from go.
What, if any, changes would be made to "io/fs"? Ideally, there is a mirror of these APIs in that package.
from go.
Related Issues (20)
- proposal: sync: On changing the sync.Map implementation to a Ctrie Map (HashTrieMap) HOT 1
- go/cmd: trimpath does not clean some CGO C filepaths HOT 5
- access: Approving CLs ("approvers")
- cmd/compile: changing a hot concrete method to interface method triggers a PGO ICE HOT 6
- cmd/compile: changing a hot concrete method to interface method triggers a PGO ICE [1.22 backport] HOT 2
- cmd/compile: Go 1.22.x failed to be bootstrapped from 386 to ppc64le [1.22 backport] HOT 2
- runtime/metrics: /memory/classes/heap/unused:bytes spikes HOT 9
- go/format cmd/gofmt: requires 2 pass for multiline comments with spacing HOT 3
- go test -timeout=50m0s ./...: unrecognized failures HOT 1
- x/tools/gopls: organizeImports chooses wrong import with 20+ peer package imports HOT 2
- runtime/pprof: TestLabelSystemstack failure on linux-arm HOT 4
- crypto/x509: certificate validation issues HOT 2
- cmd/compile: constraints that are impossible to satisfy are not caught HOT 2
- encoding/binary: fix NativeEndian == BigEndian || NativeEndian == LittleEndian HOT 6
- cmd/compile: internal compiler error: unexpected type: <nil> (<nil>) in for-range HOT 2
- x/net/quic: TestUDPSourceSpecified failures HOT 1
- x/image/draw: BiLinear.Scale shows GOARCH-dependent behaviour due to float operation differences HOT 1
- x/pkgsite: package removal request for [go.appmanch.org/commons] HOT 1
- proposal: x/net/http/httpguts: add IsToken HOT 1
- x/tools/refactor/eg: 'exec format error' Test failures HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go.