Fix google#4011: Files::createTempDir security vulnerability

melloware · Nov 19, 2020 · 6b6a070 · 6b6a070
1 parent 751d7c0
commit 6b6a070
Showing 1 changed file with 7 additions and 18 deletions.
diff --git a/guava/src/com/google/common/io/Files.java b/guava/src/com/google/common/io/Files.java
@@ -421,25 +421,14 @@ public static boolean equal(File file1, File file2) throws IOException {
   @Beta
   @Deprecated
   public static File createTempDir() {
-    File baseDir = new File(System.getProperty("java.io.tmpdir"));
-    @SuppressWarnings("GoodTime") // reading system time without TimeSource
-    String baseName = System.currentTimeMillis() + "-";
-
-    for (int counter = 0; counter < TEMP_DIR_ATTEMPTS; counter++) {
-      File tempDir = new File(baseDir, baseName + counter);
-      if (tempDir.mkdir()) {
-        return tempDir;
-      }
+    try {
+      @SuppressWarnings("GoodTime") // reading system time without TimeSource
+      String baseName = System.currentTimeMillis() + "-";
+      java.nio.file.Path temp = java.nio.file.Files.createTempDirectory(baseName);
+      return temp.toFile();
+    } catch (IOException ioex) {
+      throw new IllegalStateException("Failed to create temporary directory.", ioex);
     }
-    throw new IllegalStateException(
-        "Failed to create directory within "
-            + TEMP_DIR_ATTEMPTS
-            + " attempts (tried "
-            + baseName
-            + "0 to "
-            + baseName
-            + (TEMP_DIR_ATTEMPTS - 1)
-            + ')');
   }
 
   /**