@@ -220,13 +220,27 @@ pub trait OpenOptionsExt {
220220/// the specified value (or combines it with `custom_flags` and `attributes`
221221/// to set the `dwFlagsAndAttributes` for [`CreateFile`]).
222222///
223- /// By default, `security_qos_flags` is set to `SECURITY_ANONYMOUS`. For
224- /// information about possible values, see [Impersonation Levels] on the
225- /// Windows Dev Center site.
226- ///
223+ /// By default `security_qos_flags` is not set. It should be specified when
224+ /// opening a named pipe, to control to which degree a server process can
225+ /// act on behalf of a client process (security impersonation level).
226+ ///
227+ /// When `security_qos_flags` is not set a malicious program can gain the
228+ /// elevated privileges of a privileged Rust process when it allows opening
229+ /// user-specified paths, by tricking it into opening a named pipe. So
230+ /// arguably `security_qos_flags` should also be set when opening arbitrary
231+ /// paths. However the bits can then conflict with other flags, specifically
232+ /// `FILE_FLAG_OPEN_NO_RECALL`.
233+ ///
234+ /// For information about possible values, see [Impersonation Levels] on the
235+ /// Windows Dev Center site. The `SECURITY_SQOS_PRESENT` flag is set
236+ /// automatically when using this method.
237+
227238 /// # Examples
228239///
229240/// ```no_run
241+ /// # #[cfg(for_demonstration_only)]
242+ /// extern crate winapi;
243+ /// # mod winapi { pub const SECURITY_IDENTIFICATION: u32 = 0; }
230244/// use std::fs::OpenOptions;
231245/// use std::os::windows::prelude::*;
232246///
@@ -235,9 +249,9 @@ pub trait OpenOptionsExt {
235249/// .create(true)
236250///
237251/// // Sets the flag value to `SecurityIdentification`.
238- /// .security_qos_flags(1 )
252+ /// .security_qos_flags(winapi::SECURITY_IDENTIFICATION )
239253///
240- /// .open("foo.txt ");
254+ /// .open(r"\\.\pipe\MyPipe ");
241255/// ```
242256///
243257/// [`CreateFile`]: https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858.aspx
0 commit comments