security is broken when temporary private key file won't get deleted if exception thrown

[jimengliu]

After using jcabi-ssh for a while, I noticed a lot of private key files inside /tmp folder. This poses significant security issues.

The problem is in session() function (in file src/main/java/com/jcabi/ssh/Ssh.java). The temporary private key file was constructed first, but it won't get deleted when there is exception thrown. Because the line to delete the file

Files.deleteIfExists(file.toPath());

is within try{} block, not in finally{} block.

[0crat]

@yegor256/z please, pay attention to this issue

[0crat]

@jimengliu/z this project will fix the problem faster if you donate a few dollars to it; just click here and pay via Stripe, it's very fast, convenient and appreciated; thanks a lot!

[yegor256]

@rultor release, tag is 1.6.1

[rultor]

@rultor release, tag is 1.6.1

@yegor256 OK, I will release it now. Please check the progress here

[rultor]

@rultor release, tag is 1.6.1

@yegor256 Done! FYI, the full log is here (took me 19min)

[yegor256]

@jimengliu fixed and release in 1.6.1. Thanks!

[0crat]

Job gh:jcabi/jcabi-ssh#73 is not assigned, can't get performer

[0crat]

The job is not in WBS, won't close the order

[jimengliu]

Thanks @yegor256 for quick fix on this! When do you release the jcabi-ssh.jar on maven central(https://mvnrepository.com/artifact/com.jcabi/jcabi-ssh) where we downloaded officially ?

[jimengliu]

@yegor256 Oh, I do see here http://central.maven.org/maven2/com/jcabi/jcabi-ssh/1.6.1/, but no link from https://mvnrepository.com. So, I am OK now. Thanks!