https://issues.apache.org/bugzilla/show_bug.cgi?id=56757
Bug ID: 56757
Summary: [PATCH] Possible symlink race condition vulnerability
when creating temp files
Product: POI
Version: 3.11-dev
Hardware: PC
Status: NEW
Severity: major
Priority: P2
Component: POI Overall
Assignee: [email protected]
Reporter: [email protected]
Created attachment 31839
--> https://issues.apache.org/bugzilla/attachment.cgi?id=31839&action=edit
Fix for symlink race condition vulnerability when creating temp files
The org.apache.poi.util.TempFile.createTempFile() method generates a random
file name and checks whether a file with that name already exists, but it does
neither create the file nor check and create it atomically.
As far as I see (but please correct me if I'm wrong) this constitutes a symlink
race condition vulnerability.
The attached patch fixes this by delegating the temp file creation to Java's
File.createTempFile() method.
The patch contains two small API changes:
- TempFile.createTempFile() now throws an IOException as it creates the file.
- I deleted the org.apache.poi.util.PackageHelper.createTempFile() method as it
is not used by POI and would actively re-enable the race condition
vulnerability by deleting the newly created file.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
