[
https://issues.apache.org/jira/browse/MWRAPPER-50?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17470944#comment-17470944
]
Premek Vyhnal commented on MWRAPPER-50:
---------------------------------------
> both MD5 and SHA1 are "broken"
I didn't remember that about sha1 from the top of my head, lets *use sha256sum*
then.
> An attacker could replace both JAR and .sha1 files
I didn't mean it like that, see my note that I added later. The link to the
.sha1 file was confusing, sorry.
I think the checksum should be hardcoded in the mvnw script somehow, probably
in the properties file, filled in by the release process (not sure how exactly
that works)
> Verify checksum when downloading maven-wrapper.jar
> ----------------------------------------------------
>
> Key: MWRAPPER-50
> URL: https://issues.apache.org/jira/browse/MWRAPPER-50
> Project: Maven Wrapper
> Issue Type: Bug
> Reporter: Premek Vyhnal
> Priority: Major
>
> Hi,
> Sorry if I just cannot find it
> but it seems the checksum is not checked of the `maven-wrapper.jar`
> downloaded here:
> [https://github.com/apache/maven-wrapper/blob/efba2bde13feeabfb42e9dc120e8a35c127baf0d/maven-wrapper-distribution/src/resources/mvnw#L207]
>
> Checksum of the downloaded file should be checked before executing it to
> avoid a remote code execution attack on the developer machine.
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
