Do not imply that TOCTOU is mitigated by random dir name

author: David Lönnhager <david.l@mullvad.net> 2025-03-20 22:52:09 +0100
committer: David Lönnhager <david.l@mullvad.net> 2025-03-21 13:25:50 +0100
commit: a5b7a21a187e09880b41e342c778e783ecc2efc0 (patch)
tree: d5ca991870eb34d1eb32bba494fdbb3a3f121e51
parent: 0f58351bed614746d2d326007e8255d23b1f0893 (diff)
download: mullvadvpn-a5b7a21a187e09880b41e342c778e783ecc2efc0.tar.xz
mullvadvpn-a5b7a21a187e09880b41e342c778e783ecc2efc0.zip
1 files changed, 4 insertions, 3 deletions
diff --git a/installer-downloader/src/temp.rs b/installer-downloader/src/temp.rs
index a40019df4f..1c30bf5e37 100644
--- a/installer-downloader/src/temp.rs
+++ b/installer-downloader/src/temp.rs
@@ -11,10 +11,11 @@
 //! # macOS
 //!
 //! The downloader does not run as a privileged user, so we store downloads in a temporary
-//! directory.
+//! directory that only the current user may access.
 //!
-//! This is vulnerable to TOCTOU, ie replacing the file after its hash has been verified, but only
-//! by the current user. Using a random directory name mitigates this issue.
+//! This is potentially vulnerable to TOCTOU, ie replacing the file after its hash has been
+//! verified, but only by the current user. However, this would require asking the user to approve
+//! privilege escalation, just like the actual installer does.
 
 use anyhow::Context;
 use async_trait::async_trait;
author	David Lönnhager <david.l@mullvad.net>	2025-03-20 22:52:09 +0100
committer	David Lönnhager <david.l@mullvad.net>	2025-03-21 13:25:50 +0100
commit	a5b7a21a187e09880b41e342c778e783ecc2efc0 (patch)
tree	d5ca991870eb34d1eb32bba494fdbb3a3f121e51
parent	0f58351bed614746d2d326007e8255d23b1f0893 (diff)
download	mullvadvpn-a5b7a21a187e09880b41e342c778e783ecc2efc0.tar.xz mullvadvpn-a5b7a21a187e09880b41e342c778e783ecc2efc0.zip