This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 79f87e5aacb24b8ba97b1361cf931f4ed9e1649e
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Tue Mar 12 08:06:58 2024 +0100
Fixed: Prevent possible file race condition with SecuredUpload class
(OFBIZ-12937)
While trying to upload PDF files I found a possible file race condition in
DataServices::createFileMethod and DataServices::updateFileMethod
The same could exist in several places in ImageManagementServices and
ProductServices classes
As this file is a temporary file, the ideal fix is to replace File::delete
by
File::deleteOnExit
---
.../main/java/org/apache/ofbiz/content/data/DataServices.java | 6 ++++--
.../ofbiz/product/imagemanagement/ImageManagementServices.java | 9 ++++++---
.../java/org/apache/ofbiz/product/product/ProductServices.java | 6 ++++--
3 files changed, 14 insertions(+), 7 deletions(-)
diff --git
a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
index 96a4b3f99d..23a7f37669 100644
---
a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
+++
b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
@@ -299,7 +299,8 @@ public class DataServices {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileFormatsIncludingSvg", locale);
return ServiceUtil.returnError(errorMessage);
}
- Files.delete(tempFile);
+ File tempFileToDelete = new File(tempFile.toString());
+ tempFileToDelete.deleteOnExit();
RandomAccessFile out = new RandomAccessFile(file, "rw");
out.write(binData.array());
out.close();
@@ -508,7 +509,8 @@ public class DataServices {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileFormatsIncludingSvg", locale);
return ServiceUtil.returnError(errorMessage);
}
- Files.delete(tempFile);
+ File tempFileToDelete = new File(tempFile.toString());
+ tempFileToDelete.deleteOnExit();
RandomAccessFile out = new RandomAccessFile(file, "rw");
out.setLength(binData.array().length);
out.write(binData.array());
diff --git
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/ImageManagementServices.java
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/ImageManagementServices.java
index e087e94f9c..cea9bc0cc3 100644
---
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/ImageManagementServices.java
+++
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/ImageManagementServices.java
@@ -163,7 +163,8 @@ public class ImageManagementServices {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels", "SupportedImageFormats", locale);
return ServiceUtil.returnError(errorMessage);
}
- Files.delete(tempFile);
+ File tempFileToDelete = new File(tempFile.toString());
+ tempFileToDelete.deleteOnExit();
// Create image file original to folder product id.
RandomAccessFile out = new RandomAccessFile(file, "rw");
out.write(imageData.array());
@@ -192,7 +193,8 @@ public class ImageManagementServices {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels", "SupportedImageFormats", locale);
return ServiceUtil.returnError(errorMessage);
}
- Files.delete(tempFile);
+ File tempFileToDelete = new File(tempFile.toString());
+ tempFileToDelete.deleteOnExit();
RandomAccessFile outFile = new
RandomAccessFile(fileOriginal, "rw");
outFile.write(imageData.array());
outFile.close();
@@ -573,7 +575,8 @@ public class ImageManagementServices {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels", "SupportedImageFormats", locale);
return ServiceUtil.returnError(errorMessage);
}
- Files.delete(tempFile);
+ File tempFileToDelete = new File(tempFile.toString());
+ tempFileToDelete.deleteOnExit();
RandomAccessFile outFileThumb = new
RandomAccessFile(fileOriginalThumb, "rw");
outFileThumb.write(imageData.array());
outFileThumb.close();
diff --git
a/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductServices.java
b/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductServices.java
index 243610092d..b9bb6d4a9e 100644
---
a/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductServices.java
+++
b/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductServices.java
@@ -1062,7 +1062,8 @@ public class ProductServices {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels", "SupportedImageFormats", locale);
return ServiceUtil.returnError(errorMessage);
}
- Files.delete(tempFile);
+ File tempFileToDelete = new File(tempFile.toString());
+ tempFileToDelete.deleteOnExit();
RandomAccessFile out = new RandomAccessFile(fileToCheck,
"rw");
out.write(imageData.array());
out.close();
@@ -1367,7 +1368,8 @@ public class ProductServices {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels", "SupportedImageFormats", locale);
return ServiceUtil.returnError(errorMessage);
}
- Files.delete(tempFile);
+ File tempFileToDelete = new File(tempFile.toString());
+ tempFileToDelete.deleteOnExit();
RandomAccessFile out = new RandomAccessFile(file, "rw");
out.write(imageData.array());
out.close();
