From aa5ce03b40003ee8f7cfff4d2f1285b405f5906a Mon Sep 17 00:00:00 2001
From: Karen Arutyunov <karen@codesynthesis.com>
Date: Sat, 18 Mar 2017 00:55:59 +0300
Subject: Fix file descriptors leakage to child process on Windows

---
 butl/fdstream | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

(limited to 'butl/fdstream')

diff --git a/butl/fdstream b/butl/fdstream
index 8d6385f..6697dd9 100644
--- a/butl/fdstream
+++ b/butl/fdstream
@@ -487,7 +487,9 @@ namespace butl
   // Windows permissions other than ru and wu are unlikelly to have effect.
   //
   // Also note that on POSIX the FD_CLOEXEC flag is set for the file descriptor
-  // to prevent its leakage into child processes.
+  // to prevent its leakage into child processes. On Windows, for the same
+  // purpose, the _O_NOINHERIT flag is set. Note that the process class, that
+  // passes such a descriptor to the child, makes it inheritable for a while.
   //
   LIBBUTL_EXPORT auto_fd
   fdopen (const char*,
@@ -516,9 +518,16 @@ namespace butl
   // Note that on POSIX the FD_CLOEXEC flag is set for the new descriptor if it
   // is present for the source one. That's in contrast to POSIX dup() that
   // doesn't copy file descriptor flags. Also note that duplicating descriptor
-  // and setting the flag is not an atomic operation.
+  // and setting the flag is not an atomic operation generally, but it is in
+  // regards to child process spawning (to prevent file descriptor leakage into
+  // a child process).
   //
-  // @@ Should we copy HANDLE_FLAG_INHERIT flag on Windows as well?
+  // Note that on Windows the _O_NOINHERIT flag is set for the new descriptor
+  // if it is present for the source one. That's in contrast to Windows _dup()
+  // that doesn't copy the flag. Also note that duplicating descriptor and
+  // setting the flag is not an atomic operation generally, but it is in
+  // regards to child process spawning (to prevent file descriptor leakage into
+  // a child process).
   //
   LIBBUTL_EXPORT auto_fd
   fddup (int fd);
@@ -608,8 +617,10 @@ namespace butl
   // automatically closed by the child process to prevent undesired behaviors
   // (such as child deadlock on read from a pipe due to the write-end leakage
   // into the child process). Opening pipe and setting the flag is not an
-  // atomic operation. Also note that you don't need to reset the flag for a
-  // pipe end being passed to the process class ctor.
+  // atomic operation generally, but it is in regards to child process spawning
+  // (to prevent file descriptor leakage into child processes spawned from
+  // other threads). Also note that you don't need to reset the flag for a pipe
+  // end being passed to the process class ctor.
   //
   LIBBUTL_EXPORT fdpipe
   fdopen_pipe (fdopen_mode = fdopen_mode::none);
-- 
cgit v1.1