From d97983ee5e4581c55bae5671e4f6d6aefd78f937 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Thu, 16 Apr 2026 10:27:05 +1000
Subject: [PATCH] util: use lstat() instead of stat() in rmdir_r to prevent
 symlink attacks

stat() follows symbolic links which is definitely something we don't
want. If an attacker can place a symlink inside a directory being
recursively deleted (e.g. a temporary directory), stat() will report the
type of the symlink's target rather than the symlink itself. If the
target is a directory, rmdir_r() will follow the symlink and recursively
delete the target directory's contents outside the intended directory
tree.

This has no real effect, this is only used in the test suite.

Co-Authored-by: Claude Code <noreply@anthropic.com>
Part-of: <https://gitlab.freedesktop.org/libinput/libinput/-/merge_requests/1467>
---
 src/util-files.h | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/util-files.h b/src/util-files.h
index a05b5794..9da1c022 100644
--- a/src/util-files.h
+++ b/src/util-files.h
@@ -74,10 +74,12 @@ rmdir_r(const char *dir)
 		_autofree_ char *path = strdup_printf("%s/%s", dir, entry->d_name);
 
 		struct stat st;
-		if (stat(path, &st) < 0)
+		if (lstat(path, &st) < 0)
 			return -errno;
 
-		if (S_ISDIR(st.st_mode))
+		if (S_ISLNK(st.st_mode))
+			rc = unlink(path) < 0 ? -errno : 0;
+		else if (S_ISDIR(st.st_mode))
 			rc = rmdir_r(path);
 		else
 			rc = unlink(path) < 0 ? -errno : 0;