fix: harden avatar load against symlink TOCTOU (v0.6.19) · 9d7f39fe05 - moonlock

fix: harden avatar load against symlink TOCTOU (v0.6.19)

Audit / cargo-audit (push) Failing after 1s

Details

Update PKGBUILD version / update-pkgver (push) Successful in 3s

Details

SEC-01 (security audit, LOW): the avatar load followed symlinks via
gio::File while the wallpaper load was already O_NOFOLLOW-hardened — the
project's lock-path hardening was applied inconsistently. Share one
read_file_nofollow loader for both file reads so they cannot diverge
again; a symlinked ~/.face now fails open with ELOOP and falls back to
the default avatar. Adds loader unit tests (regular file, symlink->ELOOP).

Bundles clippy cleanup: c"" literal in auth.rs, let-chains, drop
redundant gtk4_session_lock import, blur guard via .filter() (unifies
with moongreet/moonset).

This commit is contained in:

nevaforget

2026-06-17 11:53:46 +02:00

parent 56a8634a58

commit 9d7f39fe05

8 changed files with 90 additions and 44 deletions

Cargo.lock

Generated

+1 -1

View File

@@ -575,7 +575,7 @@ dependencies = [
 [[package]]
 name = "moonlock"
 version = "0.6.18"
 version = "0.6.19"
 dependencies = [
  "gdk-pixbuf",
  "gdk4",

fix: harden avatar load against symlink TOCTOU (v0.6.19) Audit / cargo-audit (push) Failing after 1s Details Update PKGBUILD version / update-pkgver (push) Successful in 3s Details

fix: harden avatar load against symlink TOCTOU (v0.6.19)

Audit / cargo-audit (push) Failing after 1s

Details

Update PKGBUILD version / update-pkgver (push) Successful in 3s

Details