Only attempt to create tempDir (and parents) when the last level of it is not a symlink#3511
Only attempt to create tempDir (and parents) when the last level of it is not a symlink#3511katzyn merged 2 commits intoh2database:masterfrom
Conversation
| if (!Files.isSymbolicLink(tempDir)) { | ||
| Files.createDirectories(tempDir); | ||
| } | ||
| file = Files.createTempFile(prefix, suffix); |
There was a problem hiding this comment.
PATH_TRAVERSAL_IN: This API (java/nio/file/Files.createTempFile(Ljava/lang/String;Ljava/lang/String;[Ljava/nio/file/attribute/FileAttribute;)Ljava/nio/file/Path;) reads a file whose location might be specified by user input
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
There was a problem hiding this comment.
The PATH_TRAVERSAL_IN behaviour is unmodified by this change, so won't fix it in my PR
| @@ -445,7 +445,10 @@ public FilePath createTempFile(String suffix, boolean inTempDir) throws IOExcept | |||
| Path file = Paths.get(name + '.').toAbsolutePath(); | |||
There was a problem hiding this comment.
PATH_TRAVERSAL_IN: This API (java/nio/file/Paths.get(Ljava/lang/String;[Ljava/lang/String;)Ljava/nio/file/Path;) reads a file whose location might be specified by user input
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
|
Thank you for your contribution! I think it will be better to perform
|
…l part of the temp path and is a better fit
Agree, didn't test it before, blindly assumed isDirectory would suffer from similar symptoms, but it's indeed capable of detecting the symlinked directory as a directory. Updated the PR for it. |
| if (!Files.isDirectory(tempDir)) { | ||
| Files.createDirectories(tempDir); | ||
| } | ||
| file = Files.createTempFile(prefix, suffix); |
There was a problem hiding this comment.
PATH_TRAVERSAL_IN: This API (java/nio/file/Files.createTempFile(Ljava/lang/String;Ljava/lang/String;[Ljava/nio/file/attribute/FileAttribute;)Ljava/nio/file/Path;) reads a file whose location might be specified by user input
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| @@ -445,7 +445,10 @@ public FilePath createTempFile(String suffix, boolean inTempDir) throws IOExcept | |||
| Path file = Paths.get(name + '.').toAbsolutePath(); | |||
There was a problem hiding this comment.
PATH_TRAVERSAL_IN: This API (java/nio/file/Paths.get(Ljava/lang/String;[Ljava/lang/String;)Ljava/nio/file/Path;) reads a file whose location might be specified by user input
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
|
Thanks! |
First check whether the java.io.tmpdir is a symlink before trying to create the directory structure including any missing parents as by design Files.createDirectories() will throw a FileAlreadyExistsException when the last level of the path is a symlink.
Fixes #3510