Skip to content

fix(wrapper): replace mktemp with POSIX-compliant temp dir creation in only-mvnw#418

Open
armorbreak001 wants to merge 1 commit intoapache:masterfrom
armorbreak001:fix/311-posix-mktemp
Open

fix(wrapper): replace mktemp with POSIX-compliant temp dir creation in only-mvnw#418
armorbreak001 wants to merge 1 commit intoapache:masterfrom
armorbreak001:fix/311-posix-mktemp

Conversation

@armorbreak001
Copy link
Copy Markdown

@armorbreak001 armorbreak001 commented Apr 21, 2026

Summary

Fixes #311

only-mvnw declares #!/bin/sh shebang but uses mktemp -d, which is not POSIX-compliant and not available in all shells (e.g., ksh, some bash versions on AIX).

Changes

Replace mktemp -d with a portable alternative using TMPDIR, PID ($$), and epoch timestamp to construct a unique temp directory path, then create it with mkdir -p.

This approach:

  • Uses only POSIX shell builtins/commands available everywhere
  • Maintains the same cleanup behavior via the existing trap clean EXIT
  • Respects TMPDIR like the original code did

Testing

  • Verified the script still parses correctly
  • The temp dir creation follows the same pattern used in the regular mvnw wrapper script

@armorbreak001
fix(wrapper): replace mktemp with POSIX-compliant temp dir creation i…
b89013c 
…n only-mvnw

mktemp is not available in all POSIX shells (e.g., ksh, some bash versions
on AIX). Use TMPDIR/PID/timestamp-based directory creation with mkdir -p
instead, which works everywhere.

Fixes apache#311
@slachiewicz slachiewicz requested a review from Copilot April 22, 2026 13:44
@slachiewicz slachiewicz added the bug Something isn't working label Apr 22, 2026
Copilot AI reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the only-mvnw POSIX /bin/sh wrapper to avoid relying on mktemp -d for creating the temporary download directory, targeting better portability across non-GNU / non-Bash-default environments (e.g., AIX/ksh).

Changes:

  • Replaces mktemp -d temp dir creation with a TMPDIR-based path and mkdir -p.
  • Adds a comment clarifying the intent to be POSIX-compatible.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread maven-wrapper-distribution/src/resources/only-mvnw
Comment on lines +164 to +166
_tmp_base="${TMPDIR:-/tmp}"
TMP_DOWNLOAD_DIR="$_tmp_base/maven_wrapper.$$_$(date +%s)"
if mkdir -p -- "$TMP_DOWNLOAD_DIR" && [ -d "$TMP_DOWNLOAD_DIR" ]; then
Copy link

Copilot AI Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

date +%s is not specified by POSIX and is missing on some platforms (incl. AIX), so this temp dir name generation can fail or produce non-unique names. Use a POSIX format (e.g., date '+%Y%m%d%H%M%S') and/or a small looped suffix counter to guarantee uniqueness without relying on %s.

Copilot uses AI. Check for mistakes.
Comment thread maven-wrapper-distribution/src/resources/only-mvnw
Comment on lines +163 to 167
# prepare tmp dir (POSIX-compatible: avoid mktemp which is not available in all shells)
_tmp_base="${TMPDIR:-/tmp}"
TMP_DOWNLOAD_DIR="$_tmp_base/maven_wrapper.$$_$(date +%s)"
if mkdir -p -- "$TMP_DOWNLOAD_DIR" && [ -d "$TMP_DOWNLOAD_DIR" ]; then
clean() { rm -rf -- "$TMP_DOWNLOAD_DIR"; }
Copy link

Copilot AI Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The temp directory path is predictable and mkdir -p will succeed if it already exists, which can lead to reusing a pre-existing directory (DoS) and enables TOCTOU/symlink attacks on files created inside it (e.g., Downloader.java, the downloaded archive). Prefer creating a new directory with mkdir (no -p) in a loop until it succeeds, set a restrictive umask/mode, and consider using mktemp -d when available with a POSIX fallback when it isn’t.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[MWRAPPER-152] only-mvnw is not POSIX compatible

3 participants

@armorbreak001 @slachiewicz