| Summary: | [PATCH] Possible symlink race condition vulnerability when creating temp files | ||
|---|---|---|---|
| Product: | POI | Reporter: | Raúl Wegmann <raul.wegmann> |
| Component: | POI Overall | Assignee: | POI Developers List <dev> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | ||
| Priority: | P2 | ||
| Version: | 3.11-dev | ||
| Target Milestone: | --- | ||
| Hardware: | PC | ||
| OS: | All | ||
| Attachments: | Fix for symlink race condition vulnerability when creating temp files | ||
Created attachment 31839 [details] Fix for symlink race condition vulnerability when creating temp files The org.apache.poi.util.TempFile.createTempFile() method generates a random file name and checks whether a file with that name already exists, but it does neither create the file nor check and create it atomically. As far as I see (but please correct me if I'm wrong) this constitutes a symlink race condition vulnerability. The attached patch fixes this by delegating the temp file creation to Java's File.createTempFile() method. The patch contains two small API changes: - TempFile.createTempFile() now throws an IOException as it creates the file. - I deleted the org.apache.poi.util.PackageHelper.createTempFile() method as it is not used by POI and would actively re-enable the race condition vulnerability by deleting the newly created file.