metsw24-max opened a new pull request, #1063: URL: https://github.com/apache/poi/pull/1063
This patch hardens POI temporary file and directory handling by restricting access permissions to the owning user where supported. `DefaultTempFileCreationStrategy` previously relied on platform-default permissions when creating temporary artifacts. These temporary files and directories can contain sensitive intermediate document data during processing, including streamed workbook contents, extracted package data, and decrypted document material. The change updates temp file handling to: * Apply restrictive POSIX permissions atomically during temp file and temp directory creation (`rw-------` for files, `rwx------` for directories) on POSIX-capable platforms * Fall back to best-effort owner-only restrictions on non-POSIX platforms * Restrict the POI temp directory itself to owner-only access where supported * Preserve existing behavior and compatibility while reducing unintended local filesystem exposure The patch also adds regression tests validating that created temporary files do not expose group/other read or write permissions on POSIX-supported filesystems. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
