README: add TOCTOU warning

Signed-off-by: Aleksa Sarai <[email protected]>

README.md

@@ -7,6 +7,19 @@ standard library][go#20126]. The purpose of this function is to be a "secure"
 alternative to `filepath.Join`, and in particular it provides certain
 guarantees that are not provided by `filepath.Join`.
 
+> **NOTE**: This code is *only* safe if you are not at risk of other processes
+> modifying path components after you've used `SecureJoin`. If it is possible
+> for a malicious process to modify path components of the resolved path, then
+> you will be vulnerable to some fairly trivial TOCTOU race conditions. [There
+> are some Linux kernel patches I'm working on which might allow for a better
+> solution.][lwn-obeneath]
+>
+> In addition, with a slightly modified API it might be possible to use
+> `O_PATH` and verify that the opened path is actually the resolved one -- but
+> I have not done that yet. I might add it in the future as a helper function
+> to help users verify the path (we can't just return `/proc/self/fd/<foo>`
+> because that doesn't always work transparently for all users).
+
 This is the function prototype:
 
 ```go
@@ -57,6 +70,7 @@ func SecureJoin(root, unsafePath string) (string, error) {
 }
 ```
 
+[lwn-obeneath]: https://lwn.net/Articles/767547/
 [go#20126]: https://github.com/golang/go/issues/20126
 
 ### License ###