https://bz.apache.org/bugzilla/show_bug.cgi?id=64654
Bug ID: 64654
Summary: Ant may still use java.io.tmp as tmp directory
Product: Ant
Version: 1.9.15
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Core
Assignee: notifications@ant.apache.org
Reporter: sourabh.sarvotham.park...@sap.com
Target Milestone: ---
This is in association to a CVE CVE-2020-1945.
Affected version : All Apache Ant versions <= 1.10.8 (Including).
The CVE states to use the new Ant property 'ant.tmpdir' for default tmp
directory. But the fix does not restrict the users from still using
'java.io.tmpdir' as a tmp directory for Ant. Also no default or safe value (tmp
directory path) is provided to the new Ant property.
This bug is to indicate that, it would be good to set a proper default
directory path to ant.tmpdir. Instead of expecting the user to set the property
`ant.tmpdir` with a path value.
Because, if the user does not set the `ant.tmpdir` property with a safe path
value. The user could still use 'java.io.tmpdir' property path value as Ant tmp
directory (which is considered as unsafe).
The bug is filed in reference to this line in Apache Ant GitHub
https://github.com/apache/ant/blob/rel/1.10.8/src/main/org/apache/tools/ant/util/FileUtils.java#L998
--
You are receiving this mail because:
You are the assignee for the bug.
