From d55c2d7c58ced5e1e2e768314e766abcf46a204f Mon Sep 17 00:00:00 2001
From: Matt Ickstadt <mattico8@gmail.com>
Date: Wed, 13 Sep 2017 19:12:33 -0500
Subject: [PATCH] windows: Enable default security parameters on file creation
 to avoid named pipe exploit

Fixes #42036

As noted in [this paper][1], the threat model for the exploit is a priveleged Rust process which accepts a file path from a malicious program. With this exploit, the malicious program can pass a named pipe to the priveleged process and gain its elevated priveleges.

The fix is to change the default OpenOptions to contain the proper security flags. [The .NET FileStream][2] has this same behavior by default. We're using the `SecurityIdentification` security level which is more permissive, but still blocks the exploit.

This is technically a breaking change. If someone were using a named pipe to impersonate a program *on purpose*, they would have to add `.security_qos_flags(0)` to their `OpenOptions` to keep working.

[1]: http://www.blakewatts.com/namedpipepaper.html
[2]: http://referencesource.microsoft.com/#mscorlib/system/io/filestream.cs,837
---
 src/libstd/sys/windows/c.rs  | 1 +
 src/libstd/sys/windows/fs.rs | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/libstd/sys/windows/c.rs b/src/libstd/sys/windows/c.rs
index 7dfcc996e18e2..d604e81b2bfa4 100644
--- a/src/libstd/sys/windows/c.rs
+++ b/src/libstd/sys/windows/c.rs
@@ -117,6 +117,7 @@ pub const FILE_GENERIC_WRITE: DWORD = STANDARD_RIGHTS_WRITE | FILE_WRITE_DATA |
 pub const FILE_FLAG_OPEN_REPARSE_POINT: DWORD = 0x00200000;
 pub const FILE_FLAG_BACKUP_SEMANTICS: DWORD = 0x02000000;
 pub const SECURITY_SQOS_PRESENT: DWORD = 0x00100000;
+pub const SECURITY_IDENTIFICATION: DWORD = 0x00010000;
 
 pub const FIONBIO: c_ulong = 0x8004667e;
 
diff --git a/src/libstd/sys/windows/fs.rs b/src/libstd/sys/windows/fs.rs
index f2487c1b0bd0a..09bdb12f4a629 100644
--- a/src/libstd/sys/windows/fs.rs
+++ b/src/libstd/sys/windows/fs.rs
@@ -184,7 +184,7 @@ impl OpenOptions {
             access_mode: None,
             share_mode: c::FILE_SHARE_READ | c::FILE_SHARE_WRITE | c::FILE_SHARE_DELETE,
             attributes: 0,
-            security_qos_flags: 0,
+            security_qos_flags: c::SECURITY_SQOS_PRESENT | c::SECURITY_IDENTIFICATION,
             security_attributes: 0,
         }
     }