56757 – [PATCH] Possible symlink race condition vulnerability when creating temp files

Bug 56757 - [PATCH] Possible symlink race condition vulnerability when creating temp files

Summary: [PATCH] Possible symlink race condition vulnerability when creating temp files

Status:	RESOLVED FIXED

Alias:	None

Product:	POI
Classification:	Unclassified
Component:	POI Overall (show other bugs)
Version:	3.11-dev
Hardware:	PC All

Importance:	P2 major (vote)
Target Milestone:	---
Assignee:	POI Developers List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-07-22 08:59 UTC by Raúl Wegmann
Modified:	2014-07-24 19:01 UTC (History)
CC List:	0 users

Attachments
Fix for symlink race condition vulnerability when creating temp files (1.32 KB, application/x-gzip) 2014-07-22 08:59 UTC, Raúl Wegmann	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Raúl Wegmann 2014-07-22 08:59:08 UTC

Created attachment 31839 [details]
Fix for symlink race condition vulnerability when creating temp files

The org.apache.poi.util.TempFile.createTempFile() method generates a random file name and checks whether a file with that name already exists, but it does neither create the file nor check and create it atomically.

As far as I see (but please correct me if I'm wrong) this constitutes a symlink race condition vulnerability.

The attached patch fixes this by delegating the temp file creation to Java's File.createTempFile() method. 

The patch contains two small API changes:
- TempFile.createTempFile() now throws an IOException as it creates the file.
- I deleted the org.apache.poi.util.PackageHelper.createTempFile() method as it is not used by POI and would actively re-enable the race condition vulnerability by deleting the newly created file.

Comment 1 Nick Burch 2014-07-24 19:01:04 UTC

I believe that the patch for this was rolled into GitHub Pull #10, which was applied in r1613246, so closing this one too, thanks!