Summary: | [PATCH] Possible symlink race condition vulnerability when creating temp files | ||
---|---|---|---|
Product: | POI | Reporter: | Raúl Wegmann <raul.wegmann> |
Component: | POI Overall | Assignee: | POI Developers List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | major | ||
Priority: | P2 | ||
Version: | 3.11-dev | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | All | ||
Attachments: | Fix for symlink race condition vulnerability when creating temp files |
Created attachment 31839 [details] Fix for symlink race condition vulnerability when creating temp files The org.apache.poi.util.TempFile.createTempFile() method generates a random file name and checks whether a file with that name already exists, but it does neither create the file nor check and create it atomically. As far as I see (but please correct me if I'm wrong) this constitutes a symlink race condition vulnerability. The attached patch fixes this by delegating the temp file creation to Java's File.createTempFile() method. The patch contains two small API changes: - TempFile.createTempFile() now throws an IOException as it creates the file. - I deleted the org.apache.poi.util.PackageHelper.createTempFile() method as it is not used by POI and would actively re-enable the race condition vulnerability by deleting the newly created file.