[
https://issues.apache.org/jira/browse/MWRAPPER-50?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17470962#comment-17470962
]
Marcin Zajaczkowski commented on MWRAPPER-50:
---------------------------------------------
> I didn't mean it like that, see my note that I added later.
I reply quickly, and missed your update, sorry for confusion.
> I think the checksum should be hardcoded in the mvnw script somehow, probably
> in the properties file, filled in by the release process (not sure how
> exactly that works)
Yes, you are right. It works that way also in Gradle. Recently, I've been
scripting an automatic local wrapper checksum generation based on the published
official checksums, which sidetracked me. In that case, a hardcoded value in
the local wrapper .properties file is ok.
> Verify checksum when downloading maven-wrapper.jar
> ----------------------------------------------------
>
> Key: MWRAPPER-50
> URL: https://issues.apache.org/jira/browse/MWRAPPER-50
> Project: Maven Wrapper
> Issue Type: Bug
> Reporter: Premek Vyhnal
> Priority: Major
>
> Hi,
> Sorry if I just cannot find it
> but it seems the checksum is not checked of the `maven-wrapper.jar`
> downloaded here:
> [https://github.com/apache/maven-wrapper/blob/efba2bde13feeabfb42e9dc120e8a35c127baf0d/maven-wrapper-distribution/src/resources/mvnw#L207]
>
> Checksum of the downloaded file should be checked before executing it to
> avoid a remote code execution attack on the developer machine.
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
