This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit d5d5a379404a2ab458bed5b92f3c0c4fa7c50638
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Tue Mar 12 08:06:58 2024 +0100
Fixed: Prevent possible file race condition with SecuredUpload class
(OFBIZ-12937)
While trying to upload PDF files I found a possible file race condition in
DataServices::createFileMethod and DataServices::updateFileMethod
The same could exist in several places in ImageManagementServices and
ProductServices classes
As this file is a temporary file, the ideal fix is to replace File::delete
by
File::deleteOnExit
---
.../main/java/org/apache/ofbiz/content/data/DataServices.java | 6 ++++--
.../ofbiz/product/imagemanagement/ImageManagementServices.java | 9 ++++++---
.../java/org/apache/ofbiz/product/product/ProductServices.java | 6 ++++--
3 files changed, 14 insertions(+), 7 deletions(-)
diff --git
a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
index 96a4b3f99d..23a7f37669 100644
---
a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
+++
b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
@@ -299,7 +299,8 @@ public class DataServices {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileFormatsIncludingSvg", locale);
return ServiceUtil.returnError(errorMessage);
}
- Files.delete(tempFile);
+ File tempFileToDelete = new File(tempFile.toString());
+ tempFileToDelete.deleteOnExit();
RandomAccessFile out = new RandomAccessFile(file, "rw");
out.write(binData.array());
out.close();
@@ -508,7 +509,8 @@ public class DataServices {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileFormatsIncludingSvg", locale);
return ServiceUtil.returnError(errorMessage);
}
- Files.delete(tempFile);
+ File tempFileToDelete = new File(tempFile.toString());
+ tempFileToDelete.deleteOnExit();
RandomAccessFile out = new RandomAccessFile(file, "rw");
out.setLength(binData.array().length);
out.write(binData.array());
diff --git
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/ImageManagementServices.java
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/ImageManagementServices.java
index 59168fb7be..a3f44bf3ed 100644
---
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/ImageManagementServices.java
+++
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/ImageManagementServices.java
@@ -165,7 +165,8 @@ public class ImageManagementServices {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels", "SupportedImageFormats", locale);
return ServiceUtil.returnError(errorMessage);
}
- Files.delete(tempFile);
+ File tempFileToDelete = new File(tempFile.toString());
+ tempFileToDelete.deleteOnExit();
// Create image file original to folder product id.
RandomAccessFile out = new RandomAccessFile(file, "rw");
out.write(imageData.array());
@@ -194,7 +195,8 @@ public class ImageManagementServices {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels", "SupportedImageFormats", locale);
return ServiceUtil.returnError(errorMessage);
}
- Files.delete(tempFile);
+ File tempFileToDelete = new File(tempFile.toString());
+ tempFileToDelete.deleteOnExit();
RandomAccessFile outFile = new
RandomAccessFile(fileOriginal, "rw");
outFile.write(imageData.array());
outFile.close();
@@ -585,7 +587,8 @@ public class ImageManagementServices {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels", "SupportedImageFormats", locale);
return ServiceUtil.returnError(errorMessage);
}
- Files.delete(tempFile);
+ File tempFileToDelete = new File(tempFile.toString());
+ tempFileToDelete.deleteOnExit();
RandomAccessFile outFileThumb = new
RandomAccessFile(fileOriginalThumb, "rw");
outFileThumb.write(imageData.array());
outFileThumb.close();
diff --git
a/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductServices.java
b/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductServices.java
index 8a628fd792..5999991364 100644
---
a/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductServices.java
+++
b/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductServices.java
@@ -1084,7 +1084,8 @@ public class ProductServices {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels", "SupportedImageFormats", locale);
return ServiceUtil.returnError(errorMessage);
}
- Files.delete(tempFile);
+ File tempFileToDelete = new File(tempFile.toString());
+ tempFileToDelete.deleteOnExit();
RandomAccessFile out = new RandomAccessFile(fileToCheck,
"rw");
out.write(imageData.array());
out.close();
@@ -1392,7 +1393,8 @@ public class ProductServices {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels", "SupportedImageFormats", locale);
return ServiceUtil.returnError(errorMessage);
}
- Files.delete(tempFile);
+ File tempFileToDelete = new File(tempFile.toString());
+ tempFileToDelete.deleteOnExit();
RandomAccessFile out = new RandomAccessFile(file, "rw");
out.write(imageData.array());
out.close();
