find-maint: Don't Trust the File System Contents
4.4 Don't Trust the File System Contents
========================================
People use 'find' to search in directories created by other people.
Sometimes they do this to check to suspicious activity (for example to
look for new setuid binaries). This means that it would be bad if
'find' were vulnerable to, say, a security problem exploitable by
constructing a specially-crafted filename. The same consideration would
apply to 'locate' and 'updatedb'.
Henry Spencer said this well in his fifth commandment:
Thou shalt check the array bounds of all strings (indeed, all
arrays), for surely where thou typest 'foo' someone someday shall
type 'supercalifragilisticexpialidocious'.
Symbolic links can often be a problem. If 'find' calls 'lstat' on
something and discovers that it is a directory, it's normal for 'find'
to recurse into it. Even if the 'chdir' system call is used
immediately, there is still a window of opportunity between the 'lstat'
and the 'chdir' in which a malicious person could rename the directory
and substitute a symbolic link to some other directory.