From 0307bb7520c856f3e586815959141103ed7590c4 Mon Sep 17 00:00:00 2001
From: Paolo Greppi <paolo.greppi@libpf.com>
Date: Thu, 11 Jan 2018 12:30:09 +0100
Subject: [PATCH] use fs.lchown rather than fs.chown and thereby fix the
 symlinks problem #3 while not causing the TOCTOU vulnerability #14

---
 chownr.js | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/chownr.js b/chownr.js
index ecd7b45..8112967 100644
--- a/chownr.js
+++ b/chownr.js
@@ -15,19 +15,12 @@ function chownr (p, uid, gid, cb) {
     , errState = null
     children.forEach(function (child) {
       var pathChild = path.resolve(p, child);
-      fs.lstat(pathChild, function(er, stats) {
-        if (er)
-          return cb(er)
-        if (!stats.isSymbolicLink())
-          chownr(pathChild, uid, gid, then)
-        else
-          then()
-        })
+      chownr(pathChild, uid, gid, then)
     })
     function then (er) {
       if (errState) return
       if (er) return cb(errState = er)
-      if (-- len === 0) return fs.chown(p, uid, gid, cb)
+      if (-- len === 0) return fs.lchown(p, uid, gid, cb)
     }
   })
 }