You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@poi.apache.org by bu...@apache.org on 2014/07/22 10:59:08 UTC

[Bug 56757] New: [PATCH] Possible symlink race condition vulnerability when creating temp files

https://issues.apache.org/bugzilla/show_bug.cgi?id=56757

            Bug ID: 56757
           Summary: [PATCH] Possible symlink race condition vulnerability
                    when creating temp files
           Product: POI
           Version: 3.11-dev
          Hardware: PC
            Status: NEW
          Severity: major
          Priority: P2
         Component: POI Overall
          Assignee: dev@poi.apache.org
          Reporter: raul.wegmann@qrr.es

Created attachment 31839
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=31839&action=edit
Fix for symlink race condition vulnerability when creating temp files

The org.apache.poi.util.TempFile.createTempFile() method generates a random
file name and checks whether a file with that name already exists, but it does
neither create the file nor check and create it atomically.

As far as I see (but please correct me if I'm wrong) this constitutes a symlink
race condition vulnerability.

The attached patch fixes this by delegating the temp file creation to Java's
File.createTempFile() method. 

The patch contains two small API changes:
- TempFile.createTempFile() now throws an IOException as it creates the file.
- I deleted the org.apache.poi.util.PackageHelper.createTempFile() method as it
is not used by POI and would actively re-enable the race condition
vulnerability by deleting the newly created file.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org

[Bug 56757] [PATCH] Possible symlink race condition vulnerability when creating temp files

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=56757

Nick Burch <ap...@gagravarr.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED
                 OS|                            |All

--- Comment #1 from Nick Burch <ap...@gagravarr.org> ---
I believe that the patch for this was rolled into GitHub Pull #10, which was
applied in r1613246, so closing this one too, thanks!

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org