Skip to content

Commit c735357

Browse files
committed
Use Files.createTempFile(...) to ensure the file is created with proper permissions
Motivation: File.createTempFile(String, String)` will create a temporary file in the system temporary directory if the 'java.io.tmpdir'. The permissions on that file utilize the umask. In a majority of cases, this means that the file that java creates has the permissions: `-rw-r--r--`, thus, any other local user on that system can read the contents of that file. This can be a security concern if any sensitive data is stored in this file. This was reported by Jonathan Leitschuh <jonathan.leitschuh@gmail.com> as a security problem. Modifications: Use Files.createTempFile(...) which will use safe-defaults when running on java 7 and later. If running on java 6 there isnt much we can do, which is fair enough as java 6 shouldnt be considered "safe" anyway. Result: Create temporary files with sane permissions by default.
1 parent 8f397e2 commit c735357

File tree

16 files changed

+47
-20
lines changed

16 files changed

+47
-20
lines changed

Diff for: buffer/src/test/java/io/netty/buffer/AbstractByteBufTest.java

+2-2
Original file line numberDiff line numberDiff line change
@@ -4551,7 +4551,7 @@ private void testGetReadOnlyDst(boolean direct) {
45514551

45524552
@Test
45534553
public void testReadBytesAndWriteBytesWithFileChannel() throws IOException {
4554-
File file = File.createTempFile("file-channel", ".tmp");
4554+
File file = PlatformDependent.createTempFile("file-channel", ".tmp", null);
45554555
RandomAccessFile randomAccessFile = null;
45564556
try {
45574557
randomAccessFile = new RandomAccessFile(file, "rw");
@@ -4594,7 +4594,7 @@ public void testReadBytesAndWriteBytesWithFileChannel() throws IOException {
45944594

45954595
@Test
45964596
public void testGetBytesAndSetBytesWithFileChannel() throws IOException {
4597-
File file = File.createTempFile("file-channel", ".tmp");
4597+
File file = PlatformDependent.createTempFile("file-channel", ".tmp", null);
45984598
RandomAccessFile randomAccessFile = null;
45994599
try {
46004600
randomAccessFile = new RandomAccessFile(file, "rw");

Diff for: buffer/src/test/java/io/netty/buffer/ReadOnlyDirectByteBufferBufTest.java

+1-1
Original file line numberDiff line numberDiff line change
@@ -306,7 +306,7 @@ public void testWrapBufferRoundTrip() {
306306

307307
@Test
308308
public void testWrapMemoryMapped() throws Exception {
309-
File file = File.createTempFile("netty-test", "tmp");
309+
File file = PlatformDependent.createTempFile("netty-test", "tmp", null);
310310
FileChannel output = null;
311311
FileChannel input = null;
312312
ByteBuf b1 = null;

Diff for: codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java

+3-2
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@
1919
import io.netty.handler.codec.http.HttpConstants;
2020
import io.netty.util.internal.EmptyArrays;
2121
import io.netty.util.internal.ObjectUtil;
22+
import io.netty.util.internal.PlatformDependent;
2223
import io.netty.util.internal.logging.InternalLogger;
2324
import io.netty.util.internal.logging.InternalLoggerFactory;
2425

@@ -88,9 +89,9 @@ private File tempFile() throws IOException {
8889
File tmpFile;
8990
if (getBaseDirectory() == null) {
9091
// create a temporary file
91-
tmpFile = File.createTempFile(getPrefix(), newpostfix);
92+
tmpFile = PlatformDependent.createTempFile(getPrefix(), newpostfix, null);
9293
} else {
93-
tmpFile = File.createTempFile(getPrefix(), newpostfix, new File(
94+
tmpFile = PlatformDependent.createTempFile(getPrefix(), newpostfix, new File(
9495
getBaseDirectory()));
9596
}
9697
if (deleteOnExit()) {

Diff for: codec-http/src/test/java/io/netty/handler/codec/http/HttpChunkedInputTest.java

+2-1
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@
2525
import io.netty.handler.stream.ChunkedNioStream;
2626
import io.netty.handler.stream.ChunkedStream;
2727
import io.netty.handler.stream.ChunkedWriteHandler;
28+
import io.netty.util.internal.PlatformDependent;
2829
import org.junit.Test;
2930

3031
import java.io.ByteArrayInputStream;
@@ -46,7 +47,7 @@ public class HttpChunkedInputTest {
4647

4748
FileOutputStream out = null;
4849
try {
49-
TMP = File.createTempFile("netty-chunk-", ".tmp");
50+
TMP = PlatformDependent.createTempFile("netty-chunk-", ".tmp", null);
5051
TMP.deleteOnExit();
5152
out = new FileOutputStream(TMP);
5253
out.write(BYTES);

Diff for: codec-http/src/test/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpDataTest.java

+1-1
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ public class AbstractDiskHttpDataTest {
3939
public void testGetChunk() throws Exception {
4040
TestHttpData test = new TestHttpData("test", UTF_8, 0);
4141
try {
42-
File tmpFile = File.createTempFile(UUID.randomUUID().toString(), ".tmp");
42+
File tmpFile = PlatformDependent.createTempFile(UUID.randomUUID().toString(), ".tmp", null);
4343
tmpFile.deleteOnExit();
4444
FileOutputStream fos = new FileOutputStream(tmpFile);
4545
byte[] bytes = new byte[4096];

Diff for: codec-http/src/test/java/io/netty/handler/codec/http/multipart/AbstractMemoryHttpDataTest.java

+2-2
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ public class AbstractMemoryHttpDataTest {
4343
public void testSetContentFromFile() throws Exception {
4444
TestHttpData test = new TestHttpData("test", UTF_8, 0);
4545
try {
46-
File tmpFile = File.createTempFile(UUID.randomUUID().toString(), ".tmp");
46+
File tmpFile = PlatformDependent.createTempFile(UUID.randomUUID().toString(), ".tmp", null);
4747
tmpFile.deleteOnExit();
4848
FileOutputStream fos = new FileOutputStream(tmpFile);
4949
byte[] bytes = new byte[4096];
@@ -70,7 +70,7 @@ public void testSetContentFromFile() throws Exception {
7070
public void testRenameTo() throws Exception {
7171
TestHttpData test = new TestHttpData("test", UTF_8, 0);
7272
try {
73-
File tmpFile = File.createTempFile(UUID.randomUUID().toString(), ".tmp");
73+
File tmpFile = PlatformDependent.createTempFile(UUID.randomUUID().toString(), ".tmp", null);
7474
tmpFile.deleteOnExit();
7575
final int totalByteCount = 4096;
7676
byte[] bytes = new byte[totalByteCount];

Diff for: codec-http/src/test/java/io/netty/handler/codec/http/multipart/DiskFileUploadTest.java

+1-1
Original file line numberDiff line numberDiff line change
@@ -273,7 +273,7 @@ public void setSetContentFromFileExceptionally() throws Exception {
273273
assertEquals(maxSize, f1.length());
274274
byte[] bytes = new byte[8];
275275
PlatformDependent.threadLocalRandom().nextBytes(bytes);
276-
File tmpFile = File.createTempFile(UUID.randomUUID().toString(), ".tmp");
276+
File tmpFile = PlatformDependent.createTempFile(UUID.randomUUID().toString(), ".tmp", null);
277277
tmpFile.deleteOnExit();
278278
FileOutputStream fos = new FileOutputStream(tmpFile);
279279
try {

Diff for: common/src/main/java/io/netty/util/internal/NativeLibraryLoader.java

+1-1
Original file line numberDiff line numberDiff line change
@@ -177,7 +177,7 @@ public static void load(String originalName, ClassLoader loader) {
177177
String prefix = libname.substring(0, index);
178178
String suffix = libname.substring(index);
179179

180-
tmpFile = File.createTempFile(prefix, suffix, WORKDIR);
180+
tmpFile = PlatformDependent.createTempFile(prefix, suffix, WORKDIR);
181181
in = url.openStream();
182182
out = new FileOutputStream(tmpFile);
183183

Diff for: common/src/main/java/io/netty/util/internal/PlatformDependent.java

+19
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,7 @@
3838
import java.lang.reflect.Method;
3939
import java.nio.ByteBuffer;
4040
import java.nio.ByteOrder;
41+
import java.nio.file.Files;
4142
import java.security.AccessController;
4243
import java.security.PrivilegedAction;
4344
import java.util.Arrays;
@@ -1389,6 +1390,24 @@ public static Set<String> normalizedLinuxClassifiers() {
13891390
return LINUX_OS_CLASSIFIERS;
13901391
}
13911392

1393+
@SuppressJava6Requirement(reason = "Guarded by version check")
1394+
public static File createTempFile(String prefix, String suffix, File directory) throws IOException {
1395+
if (javaVersion() >= 7) {
1396+
if (directory == null) {
1397+
return Files.createTempFile(prefix, suffix).toFile();
1398+
}
1399+
return Files.createTempFile(directory.toPath(), prefix, suffix).toFile();
1400+
}
1401+
if (directory == null) {
1402+
return File.createTempFile(prefix, suffix);
1403+
}
1404+
File file = File.createTempFile(prefix, suffix, directory);
1405+
// Try to adjust the perms, if this fails there is not much else we can do...
1406+
file.setReadable(false, false);
1407+
file.setReadable(true, true);
1408+
return file;
1409+
}
1410+
13921411
/**
13931412
* Adds only those classifier strings to <tt>dest</tt> which are present in <tt>allowed</tt>.
13941413
*

Diff for: handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java

+4-2
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@
2020
import io.netty.buffer.Unpooled;
2121
import io.netty.handler.codec.base64.Base64;
2222
import io.netty.util.CharsetUtil;
23+
import io.netty.util.internal.PlatformDependent;
2324
import io.netty.util.internal.SystemPropertyUtil;
2425
import io.netty.util.internal.ThrowableUtil;
2526
import io.netty.util.internal.logging.InternalLogger;
@@ -30,6 +31,7 @@
3031
import java.io.FileOutputStream;
3132
import java.io.IOException;
3233
import java.io.OutputStream;
34+
import java.nio.file.Files;
3335
import java.security.KeyPair;
3436
import java.security.KeyPairGenerator;
3537
import java.security.NoSuchAlgorithmException;
@@ -330,7 +332,7 @@ static String[] newSelfSignedCertificate(
330332
wrappedBuf.release();
331333
}
332334

333-
File keyFile = File.createTempFile("keyutil_" + fqdn + '_', ".key");
335+
File keyFile = PlatformDependent.createTempFile("keyutil_" + fqdn + '_', ".key", null);
334336
keyFile.deleteOnExit();
335337

336338
OutputStream keyOut = new FileOutputStream(keyFile);
@@ -361,7 +363,7 @@ static String[] newSelfSignedCertificate(
361363
wrappedBuf.release();
362364
}
363365

364-
File certFile = File.createTempFile("keyutil_" + fqdn + '_', ".crt");
366+
File certFile = PlatformDependent.createTempFile("keyutil_" + fqdn + '_', ".crt", null);
365367
certFile.deleteOnExit();
366368

367369
OutputStream certOut = new FileOutputStream(certFile);

Diff for: handler/src/test/java/io/netty/handler/stream/ChunkedWriteHandlerTest.java

+2-1
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@
2626
import io.netty.channel.embedded.EmbeddedChannel;
2727
import io.netty.util.CharsetUtil;
2828
import io.netty.util.ReferenceCountUtil;
29+
import io.netty.util.internal.PlatformDependent;
2930
import org.junit.Assert;
3031
import org.junit.Test;
3132

@@ -55,7 +56,7 @@ public class ChunkedWriteHandlerTest {
5556

5657
FileOutputStream out = null;
5758
try {
58-
TMP = File.createTempFile("netty-chunk-", ".tmp");
59+
TMP = PlatformDependent.createTempFile("netty-chunk-", ".tmp", null);
5960
TMP.deleteOnExit();
6061
out = new FileOutputStream(TMP);
6162
out.write(BYTES);

Diff for: handler/src/test/java/io/netty/handler/traffic/FileRegionThrottleTest.java

+2-1
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@
3232
import io.netty.channel.socket.nio.NioSocketChannel;
3333
import io.netty.handler.codec.LineBasedFrameDecoder;
3434
import io.netty.util.CharsetUtil;
35+
import io.netty.util.internal.PlatformDependent;
3536
import org.junit.After;
3637
import org.junit.Before;
3738
import org.junit.BeforeClass;
@@ -61,7 +62,7 @@ public static void beforeClass() throws IOException {
6162
BYTES[i] = (byte) r.nextInt(255);
6263
}
6364

64-
tmp = File.createTempFile("netty-traffic", ".tmp");
65+
tmp = PlatformDependent.createTempFile("netty-traffic", ".tmp", null);
6566
tmp.deleteOnExit();
6667
FileOutputStream out = null;
6768
try {

Diff for: testsuite/src/main/java/io/netty/testsuite/transport/socket/SocketFileRegionTest.java

+2-2
Original file line numberDiff line numberDiff line change
@@ -102,7 +102,7 @@ public void testFileRegionVoidPromiseNotAutoRead(ServerBootstrap sb, Bootstrap c
102102
}
103103

104104
public void testFileRegionCountLargerThenFile(ServerBootstrap sb, Bootstrap cb) throws Throwable {
105-
File file = File.createTempFile("netty-", ".tmp");
105+
File file = PlatformDependent.createTempFile("netty-", ".tmp", null);
106106
file.deleteOnExit();
107107

108108
final FileOutputStream out = new FileOutputStream(file);
@@ -136,7 +136,7 @@ private static void testFileRegion0(
136136
cb.option(ChannelOption.AUTO_READ, autoRead);
137137

138138
final int bufferSize = 1024;
139-
final File file = File.createTempFile("netty-", ".tmp");
139+
final File file = PlatformDependent.createTempFile("netty-", ".tmp", null);
140140
file.deleteOnExit();
141141

142142
final FileOutputStream out = new FileOutputStream(file);

Diff for: transport-native-epoll/src/test/java/io/netty/channel/epoll/EpollSpliceTest.java

+2-1
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@
2828
import io.netty.channel.SimpleChannelInboundHandler;
2929
import io.netty.channel.unix.FileDescriptor;
3030
import io.netty.util.NetUtil;
31+
import io.netty.util.internal.PlatformDependent;
3132
import org.junit.Assert;
3233
import org.junit.Test;
3334

@@ -192,7 +193,7 @@ public void operationComplete(ChannelFuture future) throws Exception {
192193
@Test(timeout = 10000)
193194
public void spliceToFile() throws Throwable {
194195
EventLoopGroup group = new EpollEventLoopGroup(1);
195-
File file = File.createTempFile("netty-splice", null);
196+
File file = PlatformDependent.createTempFile("netty-splice", null, null);
196197
file.deleteOnExit();
197198

198199
SpliceHandler sh = new SpliceHandler(file);

Diff for: transport-native-unix-common-tests/src/main/java/io/netty/channel/unix/tests/UnixTestUtils.java

+2-1
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@
1717

1818
import io.netty.channel.unix.DomainSocketAddress;
1919
import io.netty.channel.unix.Socket;
20+
import io.netty.util.internal.PlatformDependent;
2021

2122
import java.io.File;
2223
import java.io.IOException;
@@ -26,7 +27,7 @@ public static DomainSocketAddress newSocketAddress() {
2627
try {
2728
File file;
2829
do {
29-
file = File.createTempFile("NETTY", "UDS");
30+
file = PlatformDependent.createTempFile("NETTY", "UDS", null);
3031
if (!file.delete()) {
3132
throw new IOException("failed to delete: " + file);
3233
}

Diff for: transport/src/test/java/io/netty/channel/DefaultFileRegionTest.java

+1-1
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ public class DefaultFileRegionTest {
3939
}
4040

4141
private static File newFile() throws IOException {
42-
File file = File.createTempFile("netty-", ".tmp");
42+
File file = PlatformDependent.createTempFile("netty-", ".tmp", null);
4343
file.deleteOnExit();
4444

4545
final FileOutputStream out = new FileOutputStream(file);

0 commit comments

Comments
 (0)