Projects
Mega:24.03:SP1:Everything
netty
_service:tar_scm:CVE-2021-21290.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:CVE-2021-21290.patch of Package netty
From f1f550f682ea781cda3d86e5114b7b7cab4513c8 Mon Sep 17 00:00:00 2001 From: wang_yue111 <648774160@qq.com> Date: Tue, 9 Mar 2021 14:57:32 +0800 Subject: [PATCH] Use Files.createTempFile(...) to ensure the file is created with proper permissions Motivation: File.createTempFile(String, String)` will create a temporary file in the system temporary directory if the 'java.io.tmpdir'. The permissions on that file utilize the umask. In a majority of cases, this means that the file that java creates has the permissions: `-rw-r--r--`, thus, any other local user on that system can read the contents of that file. This can be a security concern if any sensitive data is stored in this file. This was reported by Jonathan Leitschuh <jonathan.leitschuh@gmail.com> as a security problem. Modifications: Use Files.createTempFile(...) which will use safe-defaults when running on java 7 and later. If running on java 6 there isnt much we can do, which is fair enough as java 6 shouldnt be considered "safe" anyway. Result: Create temporary files with sane permissions by default. --- .../io/netty/buffer/AbstractByteBufTest.java | 4 ++-- .../http/multipart/AbstractDiskHttpData.java | 5 +++-- .../codec/http/HttpChunkedInputTest.java | 3 ++- .../util/internal/NativeLibraryLoader.java | 3 ++- .../util/internal/PlatformDependent.java | 20 +++++++++++++++++++ .../ssl/util/SelfSignedCertificate.java | 5 +++-- .../stream/ChunkedWriteHandlerTest.java | 3 ++- .../socket/SocketFileRegionTest.java | 2 +- .../epoll/EpollSocketTestPermutation.java | 1 + .../netty/channel/epoll/EpollSpliceTest.java | 3 ++- .../channel/unix/tests/UnixTestUtils.java | 3 ++- 11 files changed, 40 insertions(+), 12 deletions(-) diff --git a/buffer/src/test/java/io/netty/buffer/AbstractByteBufTest.java b/buffer/src/test/java/io/netty/buffer/AbstractByteBufTest.java index ef9d729..0d4d3e6 100644 --- a/buffer/src/test/java/io/netty/buffer/AbstractByteBufTest.java +++ b/buffer/src/test/java/io/netty/buffer/AbstractByteBufTest.java @@ -3962,7 +3962,7 @@ public abstract class AbstractByteBufTest { @Test public void testReadBytesAndWriteBytesWithFileChannel() throws IOException { - File file = File.createTempFile("file-channel", ".tmp"); + File file = PlatformDependent.createTempFile("file-channel", ".tmp", null); RandomAccessFile randomAccessFile = null; try { randomAccessFile = new RandomAccessFile(file, "rw"); @@ -4005,7 +4005,7 @@ public abstract class AbstractByteBufTest { @Test public void testGetBytesAndSetBytesWithFileChannel() throws IOException { - File file = File.createTempFile("file-channel", ".tmp"); + File file = PlatformDependent.createTempFile("file-channel", ".tmp", null); RandomAccessFile randomAccessFile = null; try { randomAccessFile = new RandomAccessFile(file, "rw"); diff --git a/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java b/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java index a21e72f..9251673 100644 --- a/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java +++ b/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java @@ -18,6 +18,7 @@ package io.netty.handler.codec.http.multipart; import io.netty.buffer.ByteBuf; import io.netty.handler.codec.http.HttpConstants; import io.netty.util.internal.EmptyArrays; +import io.netty.util.internal.PlatformDependent; import io.netty.util.internal.logging.InternalLogger; import io.netty.util.internal.logging.InternalLoggerFactory; @@ -87,9 +88,9 @@ public abstract class AbstractDiskHttpData extends AbstractHttpData { File tmpFile; if (getBaseDirectory() == null) { // create a temporary file - tmpFile = File.createTempFile(getPrefix(), newpostfix); + tmpFile = PlatformDependent.createTempFile(getPrefix(), newpostfix, null); } else { - tmpFile = File.createTempFile(getPrefix(), newpostfix, new File( + tmpFile = PlatformDependent.createTempFile(getPrefix(), newpostfix, new File( getBaseDirectory())); } if (deleteOnExit()) { diff --git a/codec-http/src/test/java/io/netty/handler/codec/http/HttpChunkedInputTest.java b/codec-http/src/test/java/io/netty/handler/codec/http/HttpChunkedInputTest.java index 002c8d0..8e75eb9 100644 --- a/codec-http/src/test/java/io/netty/handler/codec/http/HttpChunkedInputTest.java +++ b/codec-http/src/test/java/io/netty/handler/codec/http/HttpChunkedInputTest.java @@ -25,6 +25,7 @@ import io.netty.handler.stream.ChunkedNioFile; import io.netty.handler.stream.ChunkedNioStream; import io.netty.handler.stream.ChunkedStream; import io.netty.handler.stream.ChunkedWriteHandler; +import io.netty.util.internal.PlatformDependent; import org.junit.Test; import java.io.ByteArrayInputStream; @@ -46,7 +47,7 @@ public class HttpChunkedInputTest { FileOutputStream out = null; try { - TMP = File.createTempFile("netty-chunk-", ".tmp"); + TMP = PlatformDependent.createTempFile("netty-chunk-", ".tmp", null); TMP.deleteOnExit(); out = new FileOutputStream(TMP); out.write(BYTES); diff --git a/common/src/main/java/io/netty/util/internal/NativeLibraryLoader.java b/common/src/main/java/io/netty/util/internal/NativeLibraryLoader.java index 1b0a71d..cb4d4f2 100644 --- a/common/src/main/java/io/netty/util/internal/NativeLibraryLoader.java +++ b/common/src/main/java/io/netty/util/internal/NativeLibraryLoader.java @@ -15,6 +15,7 @@ */ package io.netty.util.internal; +import io.netty.util.internal.PlatformDependent; import io.netty.util.internal.logging.InternalLogger; import io.netty.util.internal.logging.InternalLoggerFactory; @@ -212,7 +213,7 @@ public final class NativeLibraryLoader { OutputStream out = null; File tmpFile = null; try { - tmpFile = File.createTempFile(prefix, suffix, WORKDIR); + tmpFile = PlatformDependent.createTempFile(prefix, suffix, WORKDIR); in = url.openStream(); out = new FileOutputStream(tmpFile); diff --git a/common/src/main/java/io/netty/util/internal/PlatformDependent.java b/common/src/main/java/io/netty/util/internal/PlatformDependent.java index 2fd3c98..6cc4532 100644 --- a/common/src/main/java/io/netty/util/internal/PlatformDependent.java +++ b/common/src/main/java/io/netty/util/internal/PlatformDependent.java @@ -17,6 +17,7 @@ package io.netty.util.internal; import io.netty.util.internal.logging.InternalLogger; import io.netty.util.internal.logging.InternalLoggerFactory; +import io.netty.util.internal.PlatformDependent; import org.jctools.queues.MpscArrayQueue; import org.jctools.queues.MpscChunkedArrayQueue; import org.jctools.queues.SpscLinkedQueue; @@ -27,9 +28,11 @@ import org.jctools.util.Pow2; import org.jctools.util.UnsafeAccess; import java.io.File; +import java.io.IOException; import java.lang.reflect.Method; import java.nio.ByteBuffer; import java.nio.ByteOrder; +import java.nio.file.Files; import java.security.AccessController; import java.security.PrivilegedAction; import java.util.Deque; @@ -1166,6 +1169,23 @@ public final class PlatformDependent { return true; } + public static File createTempFile(String prefix, String suffix, File directory) throws IOException { + if (javaVersion() >= 7) { + if (directory == null) { + return Files.createTempFile(prefix, suffix).toFile(); + } + return Files.createTempFile(directory.toPath(), prefix, suffix).toFile(); + } + if (directory == null) { + return File.createTempFile(prefix, suffix); + } + File file = File.createTempFile(prefix, suffix, directory); + // Try to adjust the perms, if this fails there is not much else we can do... + file.setReadable(false, false); + file.setReadable(true, true); + return file; + } + /** * Package private for testing purposes only! */ diff --git a/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java b/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java index 112e1a8..4fa3d53 100644 --- a/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java +++ b/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java @@ -20,6 +20,7 @@ import io.netty.buffer.ByteBuf; import io.netty.buffer.Unpooled; import io.netty.handler.codec.base64.Base64; import io.netty.util.CharsetUtil; +import io.netty.util.internal.PlatformDependent; import io.netty.util.internal.SystemPropertyUtil; import io.netty.util.internal.logging.InternalLogger; import io.netty.util.internal.logging.InternalLoggerFactory; @@ -236,7 +237,7 @@ public final class SelfSignedCertificate { wrappedBuf.release(); } - File keyFile = File.createTempFile("keyutil_" + fqdn + '_', ".key"); + File keyFile = PlatformDependent.createTempFile("keyutil_" + fqdn + '_', ".key", null); keyFile.deleteOnExit(); OutputStream keyOut = new FileOutputStream(keyFile); @@ -267,7 +268,7 @@ public final class SelfSignedCertificate { wrappedBuf.release(); } - File certFile = File.createTempFile("keyutil_" + fqdn + '_', ".crt"); + File certFile = PlatformDependent.createTempFile("keyutil_" + fqdn + '_', ".crt", null); certFile.deleteOnExit(); OutputStream certOut = new FileOutputStream(certFile); diff --git a/handler/src/test/java/io/netty/handler/stream/ChunkedWriteHandlerTest.java b/handler/src/test/java/io/netty/handler/stream/ChunkedWriteHandlerTest.java index 66b6951..f556a5f 100644 --- a/handler/src/test/java/io/netty/handler/stream/ChunkedWriteHandlerTest.java +++ b/handler/src/test/java/io/netty/handler/stream/ChunkedWriteHandlerTest.java @@ -23,6 +23,7 @@ import io.netty.channel.ChannelFutureListener; import io.netty.channel.ChannelHandlerContext; import io.netty.channel.embedded.EmbeddedChannel; import io.netty.util.CharsetUtil; +import io.netty.util.internal.PlatformDependent; import org.junit.Test; import java.io.ByteArrayInputStream; @@ -47,7 +48,7 @@ public class ChunkedWriteHandlerTest { FileOutputStream out = null; try { - TMP = File.createTempFile("netty-chunk-", ".tmp"); + TMP = PlatformDependent.createTempFile("netty-chunk-", ".tmp", null); TMP.deleteOnExit(); out = new FileOutputStream(TMP); out.write(BYTES); diff --git a/testsuite/src/main/java/io/netty/testsuite/transport/socket/SocketFileRegionTest.java b/testsuite/src/main/java/io/netty/testsuite/transport/socket/SocketFileRegionTest.java index f08a714..608beed 100644 --- a/testsuite/src/main/java/io/netty/testsuite/transport/socket/SocketFileRegionTest.java +++ b/testsuite/src/main/java/io/netty/testsuite/transport/socket/SocketFileRegionTest.java @@ -100,7 +100,7 @@ public class SocketFileRegionTest extends AbstractSocketTest { cb.option(ChannelOption.AUTO_READ, autoRead); final int bufferSize = 1024; - final File file = File.createTempFile("netty-", ".tmp"); + final File file = PlatformDependent.createTempFile("netty-", ".tmp", null); file.deleteOnExit(); final FileOutputStream out = new FileOutputStream(file); diff --git a/transport-native-epoll/src/test/java/io/netty/channel/epoll/EpollSocketTestPermutation.java b/transport-native-epoll/src/test/java/io/netty/channel/epoll/EpollSocketTestPermutation.java index 2da13e1..f8d42cb 100644 --- a/transport-native-epoll/src/test/java/io/netty/channel/epoll/EpollSocketTestPermutation.java +++ b/transport-native-epoll/src/test/java/io/netty/channel/epoll/EpollSocketTestPermutation.java @@ -32,6 +32,7 @@ import io.netty.testsuite.transport.socket.SocketTestPermutation; import io.netty.util.concurrent.DefaultThreadFactory; import io.netty.util.internal.logging.InternalLogger; import io.netty.util.internal.logging.InternalLoggerFactory; +import io.netty.util.internal.PlatformDependent; import java.io.BufferedReader; import java.io.File; diff --git a/transport-native-epoll/src/test/java/io/netty/channel/epoll/EpollSpliceTest.java b/transport-native-epoll/src/test/java/io/netty/channel/epoll/EpollSpliceTest.java index 98dcec9..6b975e6 100644 --- a/transport-native-epoll/src/test/java/io/netty/channel/epoll/EpollSpliceTest.java +++ b/transport-native-epoll/src/test/java/io/netty/channel/epoll/EpollSpliceTest.java @@ -27,6 +27,7 @@ import io.netty.channel.ChannelInboundHandlerAdapter; import io.netty.channel.EventLoopGroup; import io.netty.channel.SimpleChannelInboundHandler; import io.netty.channel.unix.FileDescriptor; +import io.netty.util.internal.PlatformDependent; import org.junit.Assert; import org.junit.Test; @@ -192,7 +193,7 @@ public class EpollSpliceTest { @Test public void spliceToFile() throws Throwable { EventLoopGroup group = new EpollEventLoopGroup(1); - File file = File.createTempFile("netty-splice", null); + File file = PlatformDependent.createTempFile("netty-splice", null, null); file.deleteOnExit(); SpliceHandler sh = new SpliceHandler(file); diff --git a/transport-native-unix-common-tests/src/main/java/io/netty/channel/unix/tests/UnixTestUtils.java b/transport-native-unix-common-tests/src/main/java/io/netty/channel/unix/tests/UnixTestUtils.java index e4ebcb4..2fa4187 100644 --- a/transport-native-unix-common-tests/src/main/java/io/netty/channel/unix/tests/UnixTestUtils.java +++ b/transport-native-unix-common-tests/src/main/java/io/netty/channel/unix/tests/UnixTestUtils.java @@ -17,6 +17,7 @@ package io.netty.channel.unix.tests; import io.netty.channel.unix.DomainSocketAddress; import io.netty.channel.unix.Socket; +import io.netty.util.internal.PlatformDependent; import java.io.File; import java.io.IOException; @@ -26,7 +27,7 @@ public final class UnixTestUtils { try { File file; do { - file = File.createTempFile("NETTY", "UDS"); + file = PlatformDependent.createTempFile("NETTY", "UDS", null); if (!file.delete()) { throw new IOException("failed to delete: " + file); } -- 2.23.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2