From 9008dc9aade6dbfe4efafcd6872ebc55f4699cf5 Mon Sep 17 00:00:00 2001 From: Dave Cramer Date: Wed, 23 Nov 2022 09:25:08 -0500 Subject: [PATCH] Merge pull request from GHSA-562r-vg33-8x8h * Fix: createTempFile vulnerability on unix like systems where temporary files can be read by other users on the system --- .../org/postgresql/util/StreamWrapper.java | 3 +- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/src/main/java/org/postgresql/util/StreamWrapper.java b/src/main/java/org/postgresql/util/StreamWrapper.java index e4d48f7b..7ff49bc4 100644 --- a/src/main/java/org/postgresql/util/StreamWrapper.java +++ b/src/main/java/org/postgresql/util/StreamWrapper.java @@ -17,6 +17,7 @@ import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; +import java.nio.file.Files; /** * Wrapper around a length-limited InputStream. @@ -51,7 +52,7 @@ public class StreamWrapper { if (memoryLength == -1) { final int diskLength; - final File tempFile = File.createTempFile(TEMP_FILE_PREFIX, null); + final File tempFile = Files.createTempFile(TEMP_FILE_PREFIX, null).toFile(); FileOutputStream diskOutputStream = new FileOutputStream(tempFile); diskOutputStream.write(rawData); try { -- 2.38.1