Created attachment 31839 [details] Fix for symlink race condition vulnerability when creating temp files The org.apache.poi.util.TempFile.createTempFile() method generates a random file name and checks whether a file with that name already exists, but it does neither create the file nor check and create it atomically. As far as I see (but please correct me if I'm wrong) this constitutes a symlink race condition vulnerability. The attached patch fixes this by delegating the temp file creation to Java's File.createTempFile() method. The patch contains two small API changes: - TempFile.createTempFile() now throws an IOException as it creates the file. - I deleted the org.apache.poi.util.PackageHelper.createTempFile() method as it is not used by POI and would actively re-enable the race condition vulnerability by deleting the newly created file.
I believe that the patch for this was rolled into GitHub Pull #10, which was applied in r1613246, so closing this one too, thanks!