windows: Enable default security parameters on file creation to avoid named pipe exploit

Fixes #42036

As noted in [this paper][1], the threat model for the exploit is a priveleged Rust process which accepts a file path from a malicious program. With this exploit, the malicious program can pass a named pipe to the priveleged process and gain its elevated priveleges.

The fix is to change the default OpenOptions to contain the proper security flags. [The .NET FileStream][2] has this same behavior by default. We're using the `SecurityIdentification` security level which is more permissive, but still blocks the exploit.

This is technically a breaking change. If someone were using a named pipe to impersonate a program *on purpose*, they would have to add `.security_qos_flags(0)` to their `OpenOptions` to keep working.

[1]: http://www.blakewatts.com/namedpipepaper.html
[2]: http://referencesource.microsoft.com/#mscorlib/system/io/filestream.cs,837

Author: mattico

src/libstd/sys/windows/c.rs

@@ -117,6 +117,7 @@ pub const FILE_GENERIC_WRITE: DWORD = STANDARD_RIGHTS_WRITE | FILE_WRITE_DATA |
 pub const FILE_FLAG_OPEN_REPARSE_POINT: DWORD = 0x00200000;
 pub const FILE_FLAG_BACKUP_SEMANTICS: DWORD = 0x02000000;
 pub const SECURITY_SQOS_PRESENT: DWORD = 0x00100000;
+pub const SECURITY_IDENTIFICATION: DWORD = 0x00010000;
 
 pub const FIONBIO: c_ulong = 0x8004667e;
 

src/libstd/sys/windows/fs.rs

@@ -184,7 +184,7 @@ impl OpenOptions {
             access_mode: None,
             share_mode: c::FILE_SHARE_READ | c::FILE_SHARE_WRITE | c::FILE_SHARE_DELETE,
             attributes: 0,
-            security_qos_flags: 0,
+            security_qos_flags: c::SECURITY_SQOS_PRESENT | c::SECURITY_IDENTIFICATION,
             security_attributes: 0,
         }
     }