[ https://issues.apache.org/jira/browse/WW-4948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16606974#comment-16606974
]
Yasser Zamani commented on WW-4948:
-----------------------------------
[~JcAj4832610521], you're welcome, actually I like people like you with such great analysis
(specially #4) thanks! :)
I see {{StrutsJarURLConnection}} access modifier is package scope for only Struts internal
use. It is used only inside {{JarEntryRevision}} as below:
{code:java}
try (StrutsJarURLConnection conn = StrutsJarURLConnection.openConnection(fileUrl))
{
conn.setUseCaches(false);
//getOrCompareTheLastModifiedDateOfTheEntry
} catch (Throwable e) {
//debug logging
}
{code}
With above {{try-with-resources}}, JVM immediately deletes the temp file after {{getOrCompareTheLastModifiedDateOfTheEntry}}
in *less than a few milli seconds* because of {{AutoClosable}} below:
{code:java}
@Override
public void close() throws Exception {
//...
if (jarURLConnection == null) {
try {
jarFile.close();// NOTE: this causes deleting temp file because of JarFile.OPEN_DELETE
} catch (IOException ignored) {
}
}
}
{code}
So with this background:
0) I think it's impossible to have a solution for when JVM crashes.
1) Actually it's a too short time cache. Maybe we should rename it. Struts doesn't want to
have a long time alive resource. It just needs to get or compare the last modified date of
an entry inside a jar (less than a few ms) and after that, releases the resource.
2) Struts doesn't copy the whole jar, I think. It copies a small entry inside of jar e.g.
{{struts.jar!/struts-default.xml}}
3) As I mentioned above, with this PR, JVM immediately deletes the temp file in less than
a few ms.
4) According to answers #1, #2 and #3, do you still believe it could be a security issue?
I need to think more :)
I also reviewed your links above. Actually, I think, we cannot be sure if any other container
that not return {{JarURLConnection}} will always has {{zip:}} in it's URL! It maybe has e.g.
{{myProtocol:}}. We only can be sure it can provide us an {{InputStream}} of that entry inside
jar, I think. So same, according to answers #1, #2 and #3, do you still believe it must be
removed using that {{InputStream}}?
> Struts 2.5.16 is creating jar_cache files in temp folder
> ---------------------------------------------------------
>
> Key: WW-4948
> URL: https://issues.apache.org/jira/browse/WW-4948
> Project: Struts 2
> Issue Type: Bug
> Reporter: Dhinakar
> Assignee: Yasser Zamani
> Priority: Critical
> Fix For: 2.5.18
>
>
> struts latest version 2.5.16 is creating temp files jar_cache in tmp folder. It seems
Struts 2.5.16 is having some logic to create jar cache files every time it is loading any
struts action from a jar file . Can you please check?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
|