fix: harden avatar load against symlink TOCTOU (v0.6.19)
SEC-01 (security audit, LOW): the avatar load followed symlinks via gio::File while the wallpaper load was already O_NOFOLLOW-hardened — the project's lock-path hardening was applied inconsistently. Share one read_file_nofollow loader for both file reads so they cannot diverge again; a symlinked ~/.face now fails open with ELOOP and falls back to the default avatar. Adds loader unit tests (regular file, symlink->ELOOP). Bundles clippy cleanup: c"" literal in auth.rs, let-chains, drop redundant gtk4_session_lock import, blur guard via .filter() (unifies with moongreet/moonset).
This commit is contained in:
+1
-1
@@ -1,6 +1,6 @@
|
||||
[package]
|
||||
name = "moonlock"
|
||||
version = "0.6.18"
|
||||
version = "0.6.19"
|
||||
edition = "2024"
|
||||
description = "A secure Wayland lockscreen with GTK4, PAM and fingerprint support"
|
||||
license = "MIT"
|
||||
|
||||
Reference in New Issue
Block a user