struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yasser Zamani (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4948) Struts 2.5.16 is creating jar_cache files in temp folder
Date Fri, 07 Sep 2018 10:47:00 GMT

    [ https://issues.apache.org/jira/browse/WW-4948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16606974#comment-16606974
] 

Yasser Zamani commented on WW-4948:
-----------------------------------

[~JcAj4832610521], you're welcome, actually I like people like you with such great analysis
(specially #4) thanks! :)

I see {{StrutsJarURLConnection}} access modifier is package scope for only Struts internal
use. It is used only inside {{JarEntryRevision}} as below:
{code:java}
        try (StrutsJarURLConnection conn = StrutsJarURLConnection.openConnection(fileUrl))
{
            conn.setUseCaches(false);
            //getOrCompareTheLastModifiedDateOfTheEntry
        } catch (Throwable e) {
            //debug logging
        }
{code}
With above {{try-with-resources}}, JVM immediately deletes the temp file after {{getOrCompareTheLastModifiedDateOfTheEntry}}
in *less than a few milli seconds* because of {{AutoClosable}} below:
{code:java}
    @Override
    public void close() throws Exception {
        //...
        if (jarURLConnection == null) {
            try {
                jarFile.close();// NOTE: this causes deleting temp file because of JarFile.OPEN_DELETE
            } catch (IOException ignored) {
            }
        }
    }
{code}
 
So with this background:

0) I think it's impossible to have a solution for when JVM crashes.
1) Actually it's a too short time cache. Maybe we should rename it. Struts doesn't want to
have a long time alive resource. It just needs to get or compare the last modified date of
an entry inside a jar (less than a few ms) and after that, releases the resource.
2) Struts doesn't copy the whole jar, I think. It copies a small entry inside of jar e.g.
{{struts.jar!/struts-default.xml}}
3) As I mentioned above, with this PR, JVM immediately deletes the temp file in less than
a few ms.
4) According to answers #1, #2 and #3, do you still believe it could be a security issue?
I need to think more :)

I also reviewed your links above. Actually, I think, we cannot be sure if any other container
that not return {{JarURLConnection}} will always has {{zip:}} in it's URL! It maybe has e.g.
{{myProtocol:}}. We only can be sure it can provide us an {{InputStream}} of that entry inside
jar, I think. So same, according to answers #1, #2 and #3, do you still believe it must be
removed using that {{InputStream}}?

> Struts 2.5.16 is creating jar_cache files in temp folder 
> ---------------------------------------------------------
>
>                 Key: WW-4948
>                 URL: https://issues.apache.org/jira/browse/WW-4948
>             Project: Struts 2
>          Issue Type: Bug
>            Reporter: Dhinakar
>            Assignee: Yasser Zamani
>            Priority: Critical
>             Fix For: 2.5.18
>
>
> struts latest version 2.5.16 is creating temp files jar_cache in tmp folder. It seems
Struts 2.5.16 is having some logic to create jar cache files every time it is loading any
struts action from a jar file . Can you please check?



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message