-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security is broken when temporary private key file won't get deleted if exception thrown #73
Comments
@jimengliu/z this project will fix the problem faster if you donate a few dollars to it; just click here and pay via Stripe, it's very fast, convenient and appreciated; thanks a lot! |
@rultor release, tag is |
@jimengliu fixed and release in 1.6.1. Thanks! |
Job |
The job is not in WBS, won't close the order |
Thanks @yegor256 for quick fix on this! When do you release the jcabi-ssh.jar on maven central(https://mvnrepository.com/artifact/com.jcabi/jcabi-ssh) where we downloaded officially ? |
@yegor256 Oh, I do see here http://central.maven.org/maven2/com/jcabi/jcabi-ssh/1.6.1/, but no link from https://mvnrepository.com. So, I am OK now. Thanks! |
After using jcabi-ssh for a while, I noticed a lot of private key files inside /tmp folder. This poses significant security issues.
The problem is in session() function (in file src/main/java/com/jcabi/ssh/Ssh.java). The temporary private key file was constructed first, but it won't get deleted when there is exception thrown. Because the line to delete the file
Files.deleteIfExists(file.toPath());
is within try{} block, not in finally{} block.
The text was updated successfully, but these errors were encountered: