[jira] [Updated] (MWRAPPER-50) Verify checksum when downloading maven-wrapper.jar

Slawomir Jaranowski (Jira) Tue, 04 Oct 2022 13:23:03 -0700


     [ 
https://issues.apache.org/jira/browse/MWRAPPER-50?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Slawomir Jaranowski updated MWRAPPER-50:
----------------------------------------
    Fix Version/s: waiting-for-feedback

> Verify checksum when downloading maven-wrapper.jar  
> ----------------------------------------------------
>
>                 Key: MWRAPPER-50
>                 URL: https://issues.apache.org/jira/browse/MWRAPPER-50
>             Project: Maven Wrapper
>          Issue Type: Bug
>          Components: Maven Wrapper Scripts
>    Affects Versions: 3.1.0
>            Reporter: Premek Vyhnal
>            Priority: Major
>             Fix For: waiting-for-feedback
>
>
> Hi,
> Sorry if I just cannot find it
> but it seems the checksum is not checked of the `maven-wrapper.jar` 
> downloaded here:
> [https://github.com/apache/maven-wrapper/blob/efba2bde13feeabfb42e9dc120e8a35c127baf0d/maven-wrapper-distribution/src/resources/mvnw#L207]
>  
> Checksum of the downloaded file should be checked before executing it to 
> avoid a remote code execution attack on the developer machine.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (MWRAPPER-50) Verify checksum when downloading maven-wrapper.jar

Reply via email to