This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/tomcat-maven-plugin.git
The following commit(s) were added to refs/heads/trunk by this push:
new 8e1c632 hardening: Temporary Directory Hijacking or Information
Disclosure (#37)
8e1c632 is described below
commit 8e1c6326949496570f9784c81f8fb4d98f929bf4
Author: Jonathan Leitschuh <[email protected]>
AuthorDate: Tue Jan 27 18:18:34 2026 +0100
hardening: Temporary Directory Hijacking or Information Disclosure (#37)
Note from Tomcat team: Given that this plugin is used by developers in
development environments, this fix is viewed as hardening rather than a
vulnerability fix.
This fixes either Temporary Directory Hijacking, or Temporary Directory
Local Information Disclosure.
Weakness: CWE-379: Creation of Temporary File in Directory with Insecure
Permissions
Severity: High
CVSSS: 7.3
Detection: CodeQL & OpenRewrite
(https://public.moderne.io/recipes/org.openrewrite.java.security.UseFilesCreateTempDirectory)
Reported-by: Jonathan Leitschuh <[email protected]>
Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/10
Co-authored-by: Moderne <[email protected]>
---
.../org/apache/tomcat/maven/plugin/tomcat7/run/RunMojo.java | 13 ++-----------
.../org/apache/tomcat/maven/plugin/tomcat8/run/RunMojo.java | 13 ++-----------
2 files changed, 4 insertions(+), 22 deletions(-)
diff --git
a/tomcat7-maven-plugin/src/main/java/org/apache/tomcat/maven/plugin/tomcat7/run/RunMojo.java
b/tomcat7-maven-plugin/src/main/java/org/apache/tomcat/maven/plugin/tomcat7/run/RunMojo.java
index dc50aa4..4e86cea 100644
---
a/tomcat7-maven-plugin/src/main/java/org/apache/tomcat/maven/plugin/tomcat7/run/RunMojo.java
+++
b/tomcat7-maven-plugin/src/main/java/org/apache/tomcat/maven/plugin/tomcat7/run/RunMojo.java
@@ -46,6 +46,7 @@ import java.io.FileReader;
import java.io.FileWriter;
import java.io.IOException;
import java.io.StringWriter;
+import java.nio.file.Files;
import java.util.List;
import java.util.Set;
@@ -154,17 +155,7 @@ public class RunMojo
private static File createTempDirectory( File baseTmpDirectory )
throws IOException
{
- final File temp = File.createTempFile( "temp", Long.toString(
System.nanoTime() ), baseTmpDirectory );
-
- if ( !( temp.delete() ) )
- {
- throw new IOException( "Could not delete temp file: " +
temp.getAbsolutePath() );
- }
-
- if ( !( temp.mkdir() ) )
- {
- throw new IOException( "Could not create temp directory: " +
temp.getAbsolutePath() );
- }
+ final File temp = Files.createTempDirectory(baseTmpDirectory.toPath(),
"temp" + Long.toString(System.nanoTime())).toFile();
return temp;
}
diff --git
a/tomcat8-maven-plugin/src/main/java/org/apache/tomcat/maven/plugin/tomcat8/run/RunMojo.java
b/tomcat8-maven-plugin/src/main/java/org/apache/tomcat/maven/plugin/tomcat8/run/RunMojo.java
index 115ddfb..244e4ba 100644
---
a/tomcat8-maven-plugin/src/main/java/org/apache/tomcat/maven/plugin/tomcat8/run/RunMojo.java
+++
b/tomcat8-maven-plugin/src/main/java/org/apache/tomcat/maven/plugin/tomcat8/run/RunMojo.java
@@ -61,6 +61,7 @@ import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.net.URLClassLoader;
+import java.nio.file.Files;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
@@ -181,17 +182,7 @@ public class RunMojo
private static File createTempDirectory( File baseTmpDirectory )
throws IOException
{
- final File temp = File.createTempFile( "temp", Long.toString(
System.nanoTime() ), baseTmpDirectory );
-
- if ( !( temp.delete() ) )
- {
- throw new IOException( "Could not delete temp file: " +
temp.getAbsolutePath() );
- }
-
- if ( !( temp.mkdir() ) )
- {
- throw new IOException( "Could not create temp directory: " +
temp.getAbsolutePath() );
- }
+ final File temp = Files.createTempDirectory(baseTmpDirectory.toPath(),
"temp" + Long.toString(System.nanoTime())).toFile();
return temp;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
