guava/CVE-2020-8908.patch

From fec0dbc4634006a6162cfd4d0d09c962073ddf40 Mon Sep 17 00:00:00 2001
From: glorioso <glorioso@google.com>
Date: Wed, 26 Aug 2020 10:02:56 -0700
Subject: [PATCH] Deprecate Files.createTempDir(), noting that better
 alternatives exist for Android as well as for users running Java 7 or later.

RELNOTES=`io`: Deprecated `Files.createTempDir()`.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=328552787
---
 android/guava/src/com/google/common/io/Files.java | 12 ++++++++++++
 guava/src/com/google/common/io/Files.java| 12 ++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/android/guava/src/com/google/common/io/Files.java b/android/guava/src/com/google/common/io/Files.java
index a23cd96b39..34de31eff5 100644
--- a/android/guava/src/com/google/common/io/Files.java
+++ b/android/guava/src/com/google/common/io/Files.java
@@ -386,6 +386,11 @@ public final class Files {
    * be exploited to create security vulnerabilities, especially when executable files are to be
    * written into the directory.
    *
+   * <p>Depending on the environmment that this code is run in, the system temporary directory (and
+   * thus the directory this method creates) may be more visible that a program would like - files
+   * written to this directory may be read or overwritten by hostile programs running on the same
+   * machine.
+   *
    * <p>This method assumes that the temporary volume is writable, has free inodes and free blocks,
    * and that it will not be called thousands of times per second.
    *
@@ -394,7 +399,14 @@ public final class Files {
    *
    * @return the newly-created directory
    * @throws IllegalStateException if the directory could not be created
+   * @deprecated For Android users, see the <a
+   *     href="https://developer.android.com/training/data-storage" target="_blank">Data and File
+   *     Storage overview</a> to select an appropriate temporary directory (perhaps {@code
+   *     context.getCacheDir()}). For developers on Java 7 or later, use {@link
+   *     java.nio.file.Files#createTempDirectory}, transforming it to a {@link File} using {@link
+   *     java.nio.file.Path#toFile() toFile()} if needed.
    */
+  @Deprecated
   public static File createTempDir() {
     File baseDir = new File(System.getProperty("java.io.tmpdir"));
     String baseName = System.currentTimeMillis() + "-";
diff --git a/guava/src/com/google/common/io/Files.java
b/guava/src/com/google/common/io/Files.java
index a23cd96b39..34de31eff5 100644
--- a/guava/src/com/google/common/io/Files.java
+++ b/guava/src/com/google/common/io/Files.java
@@ -386,6 +386,11 @@ public final class Files {
    * be exploited to create security vulnerabilities, especially when executable files are to be
    * written into the directory.
    *
+   * <p>Depending on the environmment that this code is run in, the system temporary directory (and
+   * thus the directory this method creates) may be more visible that a program would like - files
+   * written to this directory may be read or overwritten by hostile programs running on the same
+   * machine.
+   *
    * <p>This method assumes that the temporary volume is writable, has free inodes and free blocks,
    * and that it will not be called thousands of times per second.
    *
@@ -394,7 +399,14 @@ public final class Files {
    *
    * @return the newly-created directory
    * @throws IllegalStateException if the directory could not be created
+   * @deprecated For Android users, see the <a
+   *     href="https://developer.android.com/training/data-storage" target="_blank">Data and File
+   *     Storage overview</a> to select an appropriate temporary directory (perhaps {@code
+   *     context.getCacheDir()}). For developers on Java 7 or later, use {@link
+   *     java.nio.file.Files#createTempDirectory}, transforming it to a {@link File} using {@link
+   *     java.nio.file.Path#toFile() toFile()} if needed.
    */
+  @Deprecated
   public static File createTempDir() {
     File baseDir = new File(System.getProperty("java.io.tmpdir"));
     String baseName = System.currentTimeMillis() + "-";
fix CVE-2020-8908 2021-02-19 18:16:18 +08:00			`From fec0dbc4634006a6162cfd4d0d09c962073ddf40 Mon Sep 17 00:00:00 2001`
			`From: glorioso <glorioso@google.com>`
			`Date: Wed, 26 Aug 2020 10:02:56 -0700`
			`Subject: [PATCH] Deprecate Files.createTempDir(), noting that better`
			`alternatives exist for Android as well as for users running Java 7 or later.`

			RELNOTES=`io`: Deprecated `Files.createTempDir()`.

			`-------------`
			`Created by MOE: https://github.com/google/moe`
			`MOE_MIGRATED_REVID=328552787`
			`---`
			`android/guava/src/com/google/common/io/Files.java \| 12 ++++++++++++`
			`guava/src/com/google/common/io/Files.java\| 12 ++++++++++++`
			`2 files changed, 24 insertions(+)`

			`diff --git a/android/guava/src/com/google/common/io/Files.java b/android/guava/src/com/google/common/io/Files.java`
			`index a23cd96b39..34de31eff5 100644`
			`--- a/android/guava/src/com/google/common/io/Files.java`
			`+++ b/android/guava/src/com/google/common/io/Files.java`
			`@@ -386,6 +386,11 @@ public final class Files {`
			`* be exploited to create security vulnerabilities, especially when executable files are to be`
			`* written into the directory.`
			`*`
			`+ * <p>Depending on the environmment that this code is run in, the system temporary directory (and`
			`+ * thus the directory this method creates) may be more visible that a program would like - files`
			`+ * written to this directory may be read or overwritten by hostile programs running on the same`
			`+ * machine.`
			`+ *`
			`* <p>This method assumes that the temporary volume is writable, has free inodes and free blocks,`
			`* and that it will not be called thousands of times per second.`
			`*`
			`@@ -394,7 +399,14 @@ public final class Files {`
			`*`
			`* @return the newly-created directory`
			`* @throws IllegalStateException if the directory could not be created`
			`+ * @deprecated For Android users, see the <a`
			`+ * href="https://developer.android.com/training/data-storage" target="_blank">Data and File`
			`+ * Storage overview</a> to select an appropriate temporary directory (perhaps {@code`
			`+ * context.getCacheDir()}). For developers on Java 7 or later, use {@link`
			`+ * java.nio.file.Files#createTempDirectory}, transforming it to a {@link File} using {@link`
			`+ * java.nio.file.Path#toFile() toFile()} if needed.`
			`*/`
			`+ @Deprecated`
			`public static File createTempDir() {`
			`File baseDir = new File(System.getProperty("java.io.tmpdir"));`
			`String baseName = System.currentTimeMillis() + "-";`
			`diff --git a/guava/src/com/google/common/io/Files.java`
			`b/guava/src/com/google/common/io/Files.java`
			`index a23cd96b39..34de31eff5 100644`
			`--- a/guava/src/com/google/common/io/Files.java`
			`+++ b/guava/src/com/google/common/io/Files.java`
			`@@ -386,6 +386,11 @@ public final class Files {`
			`* be exploited to create security vulnerabilities, especially when executable files are to be`
			`* written into the directory.`
			`*`
			`+ * <p>Depending on the environmment that this code is run in, the system temporary directory (and`
			`+ * thus the directory this method creates) may be more visible that a program would like - files`
			`+ * written to this directory may be read or overwritten by hostile programs running on the same`
			`+ * machine.`
			`+ *`
			`* <p>This method assumes that the temporary volume is writable, has free inodes and free blocks,`
			`* and that it will not be called thousands of times per second.`
			`*`
			`@@ -394,7 +399,14 @@ public final class Files {`
			`*`
			`* @return the newly-created directory`
			`* @throws IllegalStateException if the directory could not be created`
			`+ * @deprecated For Android users, see the <a`
			`+ * href="https://developer.android.com/training/data-storage" target="_blank">Data and File`
			`+ * Storage overview</a> to select an appropriate temporary directory (perhaps {@code`
			`+ * context.getCacheDir()}). For developers on Java 7 or later, use {@link`
			`+ * java.nio.file.Files#createTempDirectory}, transforming it to a {@link File} using {@link`
			`+ * java.nio.file.Path#toFile() toFile()} if needed.`
			`*/`
			`+ @Deprecated`
			`public static File createTempDir() {`
			`File baseDir = new File(System.getProperty("java.io.tmpdir"));`
			`String baseName = System.currentTimeMillis() + "-";`