This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/tomcat-maven-plugin.git
The following commit(s) were added to refs/heads/trunk by this push:
new d40a30b Hardening: Temporary File Information Disclosure (#39)
d40a30b is described below
commit d40a30bc6370a54a719de1458b8944828584174a
Author: Jonathan Leitschuh <[email protected]>
AuthorDate: Tue Jan 27 18:16:08 2026 +0100
Hardening: Temporary File Information Disclosure (#39)
Note from Tomcat team: Given that this plugin is used by developers in
development environments, this fix is viewed as hardening rather than a
vulnerability fix.
This fixes temporary file information disclosure vulnerability due to the
use
of the vulnerable `File.createTempFile()` method. The vulnerability is
fixed by
using the `Files.createTempFile()` method which sets the correct posix
permissions.
Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite
(https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)
Reported-by: Jonathan Leitschuh <[email protected]>
Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18
Co-authored-by: Moderne <[email protected]>
---
.../test/java/org/apache/tomcat/maven/common/TomcatManagerTest.java | 5 +++--
.../apache/tomcat/maven/plugin/tomcat7/run/AbstractExecWarMojo.java | 3 ++-
.../apache/tomcat/maven/plugin/tomcat8/run/AbstractExecWarMojo.java | 3 ++-
3 files changed, 7 insertions(+), 4 deletions(-)
diff --git
a/common-tomcat-maven-plugin/src/test/java/org/apache/tomcat/maven/common/TomcatManagerTest.java
b/common-tomcat-maven-plugin/src/test/java/org/apache/tomcat/maven/common/TomcatManagerTest.java
index 513194a..e156a0c 100644
---
a/common-tomcat-maven-plugin/src/test/java/org/apache/tomcat/maven/common/TomcatManagerTest.java
+++
b/common-tomcat-maven-plugin/src/test/java/org/apache/tomcat/maven/common/TomcatManagerTest.java
@@ -35,6 +35,7 @@ import java.io.FileOutputStream;
import java.io.IOException;
import java.io.StringWriter;
import java.net.URL;
+import java.nio.file.Files;
import java.util.ArrayList;
import java.util.List;
@@ -220,7 +221,7 @@ public class TomcatManagerTest
throws ServletException, IOException
{
System.out.println( "put ok:" + req.getRequestURI() );
- File file = File.createTempFile( "tomcat-unit-test", "tmp" );
+ File file = Files.createTempFile( "tomcat-unit-test", "tmp"
).toFile();
uploadedResources.add( new UploadedResource( req.getRequestURI(),
file ) );
IOUtils.copy( req.getInputStream(), new FileOutputStream( file ) );
}
@@ -242,7 +243,7 @@ public class TomcatManagerTest
System.out.println( "RedirectServlet put ok:" +
req.getRequestURI() );
if ( req.getRequestURI().contains( "redirectrelative" ) )
{
- File file = File.createTempFile( "tomcat-unit-test", "tmp" );
+ File file = Files.createTempFile( "tomcat-unit-test", "tmp"
).toFile();
uploadedResources.add( new UploadedResource(
req.getRequestURI(), file ) );
IOUtils.copy( req.getInputStream(), new FileOutputStream( file
) );
return;
diff --git
a/tomcat7-maven-plugin/src/main/java/org/apache/tomcat/maven/plugin/tomcat7/run/AbstractExecWarMojo.java
b/tomcat7-maven-plugin/src/main/java/org/apache/tomcat/maven/plugin/tomcat7/run/AbstractExecWarMojo.java
index ec10cc8..c21b577 100644
---
a/tomcat7-maven-plugin/src/main/java/org/apache/tomcat/maven/plugin/tomcat7/run/AbstractExecWarMojo.java
+++
b/tomcat7-maven-plugin/src/main/java/org/apache/tomcat/maven/plugin/tomcat7/run/AbstractExecWarMojo.java
@@ -52,6 +52,7 @@ import java.io.FileOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.io.PrintWriter;
+import java.nio.file.Files;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.Iterator;
@@ -619,7 +620,7 @@ public abstract class AbstractExecWarMojo
{
ArchiveOutputStream os = null;
OutputStream warOutputStream = null;
- File tmpWar = File.createTempFile( "tomcat", "war-exec" );
+ File tmpWar = Files.createTempFile( "tomcat", "war-exec" ).toFile();
tmpWar.deleteOnExit();
try
diff --git
a/tomcat8-maven-plugin/src/main/java/org/apache/tomcat/maven/plugin/tomcat8/run/AbstractExecWarMojo.java
b/tomcat8-maven-plugin/src/main/java/org/apache/tomcat/maven/plugin/tomcat8/run/AbstractExecWarMojo.java
index 5cd9ef1..136aee2 100644
---
a/tomcat8-maven-plugin/src/main/java/org/apache/tomcat/maven/plugin/tomcat8/run/AbstractExecWarMojo.java
+++
b/tomcat8-maven-plugin/src/main/java/org/apache/tomcat/maven/plugin/tomcat8/run/AbstractExecWarMojo.java
@@ -52,6 +52,7 @@ import java.io.FileOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.io.PrintWriter;
+import java.nio.file.Files;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.List;
@@ -610,7 +611,7 @@ public abstract class AbstractExecWarMojo
{
ArchiveOutputStream os = null;
OutputStream warOutputStream = null;
- File tmpWar = File.createTempFile( "tomcat", "war-exec" );
+ File tmpWar = Files.createTempFile( "tomcat", "war-exec" ).toFile();
tmpWar.deleteOnExit();
try
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
