You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@phoenix.apache.org by "Daniel Wong (Jira)" <ji...@apache.org> on 2021/11/09 21:53:00 UTC
[jira] [Updated] (PHOENIX-6439) Remove uses of Guava's
Files#createTempDir
[ https://issues.apache.org/jira/browse/PHOENIX-6439?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Wong updated PHOENIX-6439:
---------------------------------
Labels: beginner (was: )
> Remove uses of Guava's Files#createTempDir
> ------------------------------------------
>
> Key: PHOENIX-6439
> URL: https://issues.apache.org/jira/browse/PHOENIX-6439
> Project: Phoenix
> Issue Type: Bug
> Reporter: Andrew Kyle Purtell
> Priority: Minor
> Labels: beginner
>
> See CVE-2020-8908. Guava's Files#createTempDir creates files that are world-readable. Phoenix has some test code that uses this API. Chances are eventually someone's security vulnerability scanner will ding you. Not urgent to fix, but the fix is simple:
> "We recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured."
--
This message was sent by Atlassian Jira
(v8.20.1#820001)