Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:FrontRunner
ant.23494
ant-CVE-2020-1945-4.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File ant-CVE-2020-1945-4.patch of Package ant.23494
From a8645a151bc706259fb1789ef587d05482d98612 Mon Sep 17 00:00:00 2001 From: Stefan Bodewig <bodewig@apache.org> Date: Tue, 5 May 2020 15:32:09 +0200 Subject: [PATCH] use nio.Files.createTempFile rather than File.createTempFile --- .../org/apache/tools/ant/util/FileUtils.java | 35 ++++++++++++++++++- .../apache/tools/ant/util/FileUtilsTest.java | 13 +++++++ 2 files changed, 47 insertions(+), 1 deletion(-) diff --git a/src/main/org/apache/tools/ant/util/FileUtils.java b/src/main/org/apache/tools/ant/util/FileUtils.java index 565d69b6f7..46671848c9 100644 --- a/src/main/org/apache/tools/ant/util/FileUtils.java +++ b/src/main/org/apache/tools/ant/util/FileUtils.java @@ -36,9 +36,14 @@ import java.nio.file.Path; import java.nio.file.Paths; import java.nio.file.StandardOpenOption; +import java.nio.file.attribute.FileAttribute; +import java.nio.file.attribute.PosixFileAttributeView; +import java.nio.file.attribute.PosixFilePermission; +import java.nio.file.attribute.PosixFilePermissions; import java.text.DecimalFormat; import java.util.ArrayList; import java.util.Arrays; +import java.util.EnumSet; import java.util.List; import java.util.Locale; import java.util.Optional; @@ -100,6 +105,13 @@ */ public static final long NTFS_FILE_TIMESTAMP_GRANULARITY = 1; + private static final FileAttribute[] TMPFILE_ATTRIBUTES = + new FileAttribute[] { + PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, + PosixFilePermission.OWNER_WRITE)) + }; + private static final FileAttribute[] NO_TMPFILE_ATTRIBUTES = new FileAttribute[0]; + /** * A one item cache for fromUri. * fromUri is called for each element when parsing ant build @@ -893,6 +905,10 @@ public String toVMSPath(File f) { * yield a different file name. * </p> * + * <p>If the filesystem where the temporary file is created + * supports POSIX permissions, the file will only be readable and + * writable by the current user.</p> + * * @param prefix file name prefix. * @param suffix * file extension; include the '.'. @@ -916,6 +932,10 @@ public File createTempFile(String prefix, String suffix, File parentDir) { * exist before this method was invoked, any subsequent invocation * of this method will yield a different file name.</p> * + * <p>If the filesystem where the temporary file is created + * supports POSIX permissions, the file will only be readable and + * writable by the current user.</p> + * * @param prefix file name prefix. * @param suffix file extension; include the '.'. * @param parentDir Directory to create the temporary file in; @@ -947,6 +967,10 @@ public File createTempFile(String prefix, String suffix, File parentDir, * exist before this method was invoked, any subsequent invocation * of this method will yield a different file name.</p> * + * <p>If the filesystem where the temporary file is created + * supports POSIX permissions, the file will only be readable and + * writable by the current user.</p> + * * @param project reference to the current Ant project. * @param prefix file name prefix. * @param suffix file extension; include the '.'. @@ -984,7 +1008,12 @@ public File createTempFile(final Project project, String prefix, String suffix, if (createFile) { try { - result = File.createTempFile(prefix, suffix, new File(parent)); + final Path parentPath = new File(parent).toPath(); + final PosixFileAttributeView parentPosixAttributes = + Files.getFileAttributeView(parentPath, PosixFileAttributeView.class); + result = Files.createTempFile(parentPath, prefix, suffix, + parentPosixAttributes != null ? TMPFILE_ATTRIBUTES : NO_TMPFILE_ATTRIBUTES) + .toFile(); } catch (IOException e) { throw new BuildException("Could not create tempfile in " + parent, e); @@ -1015,6 +1044,10 @@ public File createTempFile(final Project project, String prefix, String suffix, * yield a different file name. * </p> * + * <p>If the filesystem where the temporary file is created + * supports POSIX permissions, the file will only be readable and + * writable by the current user.</p> + * * @param prefix file name prefix. * @param suffix * file extension; include the '.'. diff --git a/src/tests/junit/org/apache/tools/ant/util/FileUtilsTest.java b/src/tests/junit/org/apache/tools/ant/util/FileUtilsTest.java index fc584563dc..d2ea122221 100644 --- a/src/tests/junit/org/apache/tools/ant/util/FileUtilsTest.java +++ b/src/tests/junit/org/apache/tools/ant/util/FileUtilsTest.java @@ -24,8 +24,11 @@ import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; +import java.nio.file.attribute.PosixFileAttributeView; +import java.nio.file.attribute.PosixFilePermission; import java.util.Locale; import java.util.Optional; +import java.util.Set; import org.apache.tools.ant.BuildException; import org.apache.tools.ant.MagicTestNames; @@ -40,7 +43,9 @@ import static org.apache.tools.ant.util.FileUtils.getFileUtils; import static org.apache.tools.ant.util.FileUtils.isCaseSensitiveFileSystem; import static org.apache.tools.ant.util.FileUtils.isContextRelativePath; +import static org.hamcrest.Matchers.containsInAnyOrder; import static org.hamcrest.Matchers.endsWith; +import static org.hamcrest.Matchers.hasSize; import static org.hamcrest.Matchers.startsWith; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; @@ -370,6 +375,14 @@ public void testCreateTempFile() throws IOException { assertTrue("File was created", tmp1.exists()); assertEquals((new File(tmploc, tmp1.getName())).getAbsolutePath(), tmp1.getAbsolutePath()); + final PosixFileAttributeView attributes = + Files.getFileAttributeView(tmp1.toPath(), PosixFileAttributeView.class); + if (attributes != null) { + final Set<PosixFilePermission> perm = attributes.readAttributes().permissions(); + assertThat(perm, + containsInAnyOrder(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE)); + assertThat(perm, hasSize(2)); + } tmp1.delete(); // null parent dir, project without magic property
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor