Clarify g_file_test() docs about TOCTOU bugs

Do not show just what not to do: show what to do instead, otherwise people won't know how to fix their code. Make sure to link to an explanation of the TOCTOU class of bugs; Wikipedia is as good a place as any.
2024-11-10 03:16:17 +01:00 · 2023-01-26 14:20:34 +00:00 · 2023-01-26 14:20:34 +00:00 · 293b492334
commit 293b492334
parent b5a3297dca
1 changed files with 19 additions and 1 deletions
--- a/glib/gfileutils.c
+++ b/glib/gfileutils.c
@ -313,10 +313,13 @@ g_mkdir_with_parents (const gchar *pathname,
 *
 * You should never use g_file_test() to test whether it is safe
 * to perform an operation, because there is always the possibility
- * of the condition changing before you actually perform the operation.
+ * of the condition changing before you actually perform the operation,
+ * see [TOCTOU](https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use).
+ *
 * For example, you might think you could use %G_FILE_TEST_IS_SYMLINK
 * to know whether it is safe to write to a file without being
 * tricked into writing into a different location. It doesn't work!
+ *
 * |[<!-- language="C" -->
 *  // DON'T DO THIS
 *  if (!g_file_test (filename, G_FILE_TEST_IS_SYMLINK)) 
@ -324,6 +327,21 @@ g_mkdir_with_parents (const gchar *pathname,
 *      fd = g_open (filename, O_WRONLY);
 *      // write to fd
 *    }
+ *
+ *  // DO THIS INSTEAD
+ *  fd = g_open (filename, O_WRONLY);
+ *  if (fd == -1)
+ *    {
+ *      // check error
+ *      if (errno == ELOOP)
+ *        // file is a symlink and can be ignored
+ *      else
+ *        // handle errors as before
+ *    }
+ *  else
+ *    {
+ *      // write to fd
+ *    }
 * ]|
 *
 * Another thing to note is that %G_FILE_TEST_EXISTS and