|
|
e3dc8b |
From 9008dc9aade6dbfe4efafcd6872ebc55f4699cf5 Mon Sep 17 00:00:00 2001
|
|
|
e3dc8b |
From: Dave Cramer <davecramer@gmail.com>
|
|
|
e3dc8b |
Date: Wed, 23 Nov 2022 09:25:08 -0500
|
|
|
e3dc8b |
Subject: [PATCH] Merge pull request from GHSA-562r-vg33-8x8h
|
|
|
e3dc8b |
|
|
|
e3dc8b |
* Fix: createTempFile vulnerability on unix like systems where temporary files can be read by other users on the system
|
|
|
e3dc8b |
|
|
|
e3dc8b |
---
|
|
|
e3dc8b |
.../org/postgresql/util/StreamWrapper.java | 3 +-
|
|
|
e3dc8b |
1 files changed, 2 insertions(+), 1 deletions(-)
|
|
|
e3dc8b |
|
|
|
e3dc8b |
diff --git a/src/main/java/org/postgresql/util/StreamWrapper.java b/src/main/java/org/postgresql/util/StreamWrapper.java
|
|
|
e3dc8b |
index e4d48f7b..7ff49bc4 100644
|
|
|
e3dc8b |
--- a/src/main/java/org/postgresql/util/StreamWrapper.java
|
|
|
e3dc8b |
+++ b/src/main/java/org/postgresql/util/StreamWrapper.java
|
|
|
e3dc8b |
@@ -17,6 +17,7 @@ import java.io.FileOutputStream;
|
|
|
e3dc8b |
import java.io.IOException;
|
|
|
e3dc8b |
import java.io.InputStream;
|
|
|
e3dc8b |
import java.io.OutputStream;
|
|
|
e3dc8b |
+import java.nio.file.Files;
|
|
|
e3dc8b |
|
|
|
e3dc8b |
/**
|
|
|
e3dc8b |
* Wrapper around a length-limited InputStream.
|
|
|
e3dc8b |
@@ -51,7 +52,7 @@ public class StreamWrapper {
|
|
|
e3dc8b |
|
|
|
e3dc8b |
if (memoryLength == -1) {
|
|
|
e3dc8b |
final int diskLength;
|
|
|
e3dc8b |
- final File tempFile = File.createTempFile(TEMP_FILE_PREFIX, null);
|
|
|
e3dc8b |
+ final File tempFile = Files.createTempFile(TEMP_FILE_PREFIX, null).toFile();
|
|
|
e3dc8b |
FileOutputStream diskOutputStream = new FileOutputStream(tempFile);
|
|
|
e3dc8b |
diskOutputStream.write(rawData);
|
|
|
e3dc8b |
try {
|
|
|
e3dc8b |
--
|
|
|
e3dc8b |
2.38.1
|
|
|
e3dc8b |
|