You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@phoenix.apache.org by "Daniel Wong (Jira)" <ji...@apache.org> on 2021/11/09 21:53:00 UTC

[jira] [Updated] (PHOENIX-6439) Remove uses of Guava's Files#createTempDir

     [ https://issues.apache.org/jira/browse/PHOENIX-6439?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Daniel Wong updated PHOENIX-6439:
---------------------------------
    Labels: beginner  (was: )

> Remove uses of Guava's Files#createTempDir
> ------------------------------------------
>
>                 Key: PHOENIX-6439
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-6439
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Andrew Kyle Purtell
>            Priority: Minor
>              Labels: beginner
>
> See CVE-2020-8908. Guava's Files#createTempDir creates files that are world-readable. Phoenix has some test code that uses this API. Chances are eventually someone's security vulnerability scanner will ding you. Not urgent to fix, but the fix is simple:
> "We recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured."



--
This message was sent by Atlassian Jira
(v8.20.1#820001)