Struct fs_mistrust::CheckedDir
source · [−]pub struct CheckedDir { /* private fields */ }
Expand description
A directory whose access properties we have verified, along with accessor functions to access members of that directory.
The accessor functions will enforce that whatever security properties we checked on the the directory also apply to all of the members that we access within the directory.
Limitations
Having a CheckedDir
means only that, at the time it was created, we were
confident that no untrusted user could access it inappropriately. It is
still possible, after the CheckedDir
is created, that a trusted user can
alter its permissions, make its path point somewhere else, or so forth.
If this kind of time-of-use/time-of-check issue is unacceptable, you may
wish to look at other solutions, possibly involving openat()
or related
APIs.
See also the crate-level Limitations section.
Implementations
sourceimpl CheckedDir
impl CheckedDir
sourcepub fn make_directory<P: AsRef<Path>>(&self, path: P) -> Result<()>
pub fn make_directory<P: AsRef<Path>>(&self, path: P) -> Result<()>
Construct a new directory within this CheckedDir, if it does not already exist.
path
must be a relative path to the new directory, containing no ..
components.
sourcepub fn open<P: AsRef<Path>>(
&self,
path: P,
options: &OpenOptions
) -> Result<File>
pub fn open<P: AsRef<Path>>(
&self,
path: P,
options: &OpenOptions
) -> Result<File>
Open a file within this CheckedDir, using a set of OpenOptions
.
path
must be a relative path to the new directory, containing no ..
components. We check, but do not create, the file’s parent directories.
We check the file’s permissions after opening it. If the file already
exists, it must not be a symlink.
If the file is created (and this is a unix-like operating system), we
always create it with mode 600
, regardless of any mode options set in
options
.
sourcepub fn as_path(&self) -> &Path
pub fn as_path(&self) -> &Path
Return a reference to this directory as a Path
.
Note that this function lets you work with a broader collection of functions, including functions that might let you access or create a file that is accessible by non-trusted users. Be careful!
sourcepub fn join<P: AsRef<Path>>(&self, path: P) -> Result<PathBuf>
pub fn join<P: AsRef<Path>>(&self, path: P) -> Result<PathBuf>
Return a new PathBuf
containing this directory’s path, with path
appended to it.
Return an error if path
has any components that could take us outside
of this directory.
sourcepub fn read_to_string<P: AsRef<Path>>(&self, path: P) -> Result<String>
pub fn read_to_string<P: AsRef<Path>>(&self, path: P) -> Result<String>
Read the contents of the file at path
within this directory, as a
String, if possible.
Return an error if path
is absent, if its permissions are incorrect,
if it has any components that could take us outside of this directory,
or if its contents are not UTF-8.
sourcepub fn read<P: AsRef<Path>>(&self, path: P) -> Result<Vec<u8>>
pub fn read<P: AsRef<Path>>(&self, path: P) -> Result<Vec<u8>>
Read the contents of the file at path
within this directory, as a
vector of bytes, if possible.
Return an error if path
is absent, if its permissions are incorrect,
or if it has any components that could take us outside of this
directory.
sourcepub fn write_and_replace<P: AsRef<Path>, C: AsRef<[u8]>>(
&self,
path: P,
contents: C
) -> Result<()>
pub fn write_and_replace<P: AsRef<Path>, C: AsRef<[u8]>>(
&self,
path: P,
contents: C
) -> Result<()>
Store contents
into the file located at path
within this directory.
We won’t write to path
directly: instead, we’ll write to a temporary
file in the same directory as path
, and then replace path
with that
temporary file if we were successful. (This isn’t truly atomic on all
file systems, but it’s closer than many alternatives.)
Limitations
This function will clobber any existing files with the same name as
path
but with the extension tmp
. (That is, if you are writing to
“foo.txt”, it will replace “foo.tmp” in the same directory.)
This function may give incorrect behavior if multiple threads or processes are writing to the same file at the same time: it is the programmer’s responsibility to use appropriate locking to avoid this.
Trait Implementations
sourceimpl Clone for CheckedDir
impl Clone for CheckedDir
sourcefn clone(&self) -> CheckedDir
fn clone(&self) -> CheckedDir
Returns a copy of the value. Read more
1.0.0 · sourcefn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
Performs copy-assignment from source
. Read more
Auto Trait Implementations
impl RefUnwindSafe for CheckedDir
impl Send for CheckedDir
impl Sync for CheckedDir
impl Unpin for CheckedDir
impl UnwindSafe for CheckedDir
Blanket Implementations
sourceimpl<T> BorrowMut<T> for T where
T: ?Sized,
impl<T> BorrowMut<T> for T where
T: ?Sized,
const: unstable · sourcefn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Mutably borrows from an owned value. Read more
sourceimpl<T> ToOwned for T where
T: Clone,
impl<T> ToOwned for T where
T: Clone,
type Owned = T
type Owned = T
The resulting type after obtaining ownership.
sourcefn clone_into(&self, target: &mut T)
fn clone_into(&self, target: &mut T)
toowned_clone_into
)Uses borrowed data to replace owned data, usually by cloning. Read more