emilime93 opened a new pull request, #393:
URL: https://github.com/apache/maven-wrapper/pull/393
I found a vulnerability/bug in the mvnw script on macOS where malformed
SHA-256 checksums in the distributionSha256Sum property may pass validation
despite being invalid. This only impacts cases where the checksum is
incorrectly formatted, not when it's correctly formatted but incorrect.
This occurs because the script invokes sha256sum without the `--strict
flag`, and macOS's Darwin implementation does not enforce strict format
checking by default, unlike GNU coreutils. When a malformed checksum is
provided (e.g., an extra hex character), sha256sum emits a warning to stderr
but returns a success exit code, which the script interprets as valid. Since
stderr is redirected to /dev/null, the warning is silenced. The issue affects
both mvnw and only-mvnw scripts. The fix adds the `--strict` flag to ensure
improperly formatted checksum lines cause validation to fail, aligning macOS
behavior with Linux.
Unfortunately I did not find an easy way to make a test for this.
- [x] Your pull request should address just one issue, without pulling in
other changes.
- [x] Write a pull request description that is detailed enough to understand
what the pull request does, how, and why.
- [x] Each commit in the pull request should have a meaningful subject line
and body.
Note that commits might be squashed by a maintainer on merge.
- [ ] Write unit tests that match behavioral changes, where the tests fail
if the changes to the runtime are not applied.
This may not always be possible but is a best-practice.
- [x] Run `mvn verify` to make sure basic checks pass.
A more thorough check will be performed on your pull request automatically.
- [x] You have run the integration tests successfully (`mvn -Prun-its
verify`).
If your pull request is about ~20 lines of code you don't need to sign an
[Individual Contributor License
Agreement](https://www.apache.org/licenses/icla.pdf) if you are unsure
please ask on the developers list.
To make clear that you license your contribution under
the [Apache License Version 2.0, January
2004](http://www.apache.org/licenses/LICENSE-2.0)
you have to acknowledge this by using the following check-box.
- [x] I hereby declare this contribution to be licenced under the [Apache
License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
