[jira] [Created] (MWRAPPER-50) Verify checksum when downloading maven-wrapper.jar

Premek Vyhnal (Jira) Tue, 04 Jan 2022 14:57:10 -0800

Premek Vyhnal created MWRAPPER-50:
-------------------------------------

             Summary: Verify checksum when downloading maven-wrapper.jar  
                 Key: MWRAPPER-50
                 URL: https://issues.apache.org/jira/browse/MWRAPPER-50
             Project: Maven Wrapper
          Issue Type: Bug
            Reporter: Premek Vyhnal



Hi,

Sorry if I just cannot find it

but it seems the checksum is not checked of the `maven-wrapper.jar` downloaded 
here:

[https://github.com/apache/maven-wrapper/blob/efba2bde13feeabfb42e9dc120e8a35c127baf0d/maven-wrapper-distribution/src/resources/mvnw#L207]

 

Checksum of the downloaded file should be checked before executing it to avoid 
a remote code execution attack on the developer machine.

 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Created] (MWRAPPER-50) Verify checksum when downloading maven-wrapper.jar

Reply via email to