File ant-CVE-2020-1945-3.patch of Package ant.26115
From a8645a151bc706259fb1789ef587d05482d98612 Mon Sep 17 00:00:00 2001
From: Stefan Bodewig <bodewig@apache.org>
Date: Tue, 5 May 2020 15:32:09 +0200
Subject: [PATCH] use nio.Files.createTempFile rather than File.createTempFile
---
.../org/apache/tools/ant/util/FileUtils.java | 35 ++++++++++++++++++-
.../apache/tools/ant/util/FileUtilsTest.java | 13 +++++++
2 files changed, 47 insertions(+), 1 deletion(-)
Index: apache-ant-1.9.4/src/main/org/apache/tools/ant/util/FileUtils.java
===================================================================
--- apache-ant-1.9.4.orig/src/main/org/apache/tools/ant/util/FileUtils.java
+++ apache-ant-1.9.4/src/main/org/apache/tools/ant/util/FileUtils.java
@@ -30,10 +30,17 @@ import java.net.JarURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLConnection;
+import java.nio.file.Files;
+import java.nio.file.Path;
import java.nio.channels.Channel;
+import java.nio.file.attribute.FileAttribute;
+import java.nio.file.attribute.PosixFileAttributeView;
+import java.nio.file.attribute.PosixFilePermission;
+import java.nio.file.attribute.PosixFilePermissions;
import java.text.DecimalFormat;
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.EnumSet;
import java.util.Iterator;
import java.util.List;
import java.util.Random;
@@ -92,6 +99,14 @@ public class FileUtils {
*/
public static final long NTFS_FILE_TIMESTAMP_GRANULARITY = 1;
+ private static final FileAttribute[] TMPFILE_ATTRIBUTES =
+ new FileAttribute[] {
+ PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ,
+ PosixFilePermission.OWNER_WRITE))
+ };
+ private static final FileAttribute[] NO_TMPFILE_ATTRIBUTES = new FileAttribute[0];
+
+
/**
* A one item cache for fromUri.
* fromUri is called for each element when parseing ant build
@@ -880,6 +895,10 @@ public class FileUtils {
* yield a different file name.
* </p>
*
+ * <p>If the filesystem where the temporary file is created
+ * supports POSIX permissions, the file will only be readable and
+ * writable by the current user.</p>
+ *
* @param prefix file name prefix.
* @param suffix
* file extension; include the '.'.
@@ -902,6 +921,10 @@ public class FileUtils {
* exist before this method was invoked, any subsequent invocation
* of this method will yield a different file name.</p>
*
+ * <p>If the filesystem where the temporary file is created
+ * supports POSIX permissions, the file will only be readable and
+ * writable by the current user.</p>
+ *
* @param prefix file name prefix.
* @param suffix file extension; include the '.'.
* @param parentDir Directory to create the temporary file in;
@@ -932,6 +955,10 @@ public class FileUtils {
* exist before this method was invoked, any subsequent invocation
* of this method will yield a different file name.</p>
*
+ * <p>If the filesystem where the temporary file is created
+ * supports POSIX permissions, the file will only be readable and
+ * writable by the current user.</p>
+ *
* @param project reference to the current Ant project.
* @param prefix file name prefix.
* @param suffix file extension; include the '.'.
@@ -969,7 +996,12 @@ public class FileUtils {
if (createFile) {
try {
- result = File.createTempFile(prefix, suffix, new File(parent));
+ final Path parentPath = new File(parent).toPath();
+ final PosixFileAttributeView parentPosixAttributes =
+ Files.getFileAttributeView(parentPath, PosixFileAttributeView.class);
+ result = Files.createTempFile(parentPath, prefix, suffix,
+ parentPosixAttributes != null ? TMPFILE_ATTRIBUTES : NO_TMPFILE_ATTRIBUTES)
+ .toFile();
} catch (IOException e) {
throw new BuildException("Could not create tempfile in "
+ parent, e);
@@ -1000,6 +1032,10 @@ public class FileUtils {
* yield a different file name.
* </p>
*
+ * <p>If the filesystem where the temporary file is created
+ * supports POSIX permissions, the file will only be readable and
+ * writable by the current user.</p>
+ *
* @param prefix file name prefix.
* @param suffix
* file extension; include the '.'.
Index: apache-ant-1.9.4/src/tests/junit/org/apache/tools/ant/util/FileUtilsTest.java
===================================================================
--- apache-ant-1.9.4.orig/src/tests/junit/org/apache/tools/ant/util/FileUtilsTest.java
+++ apache-ant-1.9.4/src/tests/junit/org/apache/tools/ant/util/FileUtilsTest.java
@@ -28,6 +28,12 @@ import org.apache.tools.ant.taskdefs.con
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
+import java.util.Set;
+
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.attribute.PosixFileAttributeView;
+import java.nio.file.attribute.PosixFilePermission;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
@@ -361,6 +367,14 @@ public class FileUtilsTest {
assertTrue("File was created", tmp1.exists());
assertEquals((new File(tmploc, tmp1.getName())).getAbsolutePath(), tmp1
.getAbsolutePath());
+ final PosixFileAttributeView attributes =
+ Files.getFileAttributeView(tmp1.toPath(), PosixFileAttributeView.class);
+ if (attributes != null) {
+ final Set<PosixFilePermission> perm = attributes.readAttributes().permissions();
+ assertTrue(perm.contains(PosixFilePermission.OWNER_READ));
+ assertTrue(perm.contains(PosixFilePermission.OWNER_WRITE));
+ assertTrue(perm.size() == 2);
+ }
tmp1.delete();
// null parent dir, project without magic property
