fix CVE-2020-27216

CVE-2020-27216.patch

@@ -0,0 +1,65 @@
+From 53e0e0e9b25a6309bf24ee3b10984f4145701edb Mon Sep 17 00:00:00 2001
+From: Joakim Erdfelt <joakim.erdfelt@gmail.com>
+Date: Thu, 15 Oct 2020 17:39:30 -0500
+Subject: [PATCH] Merge pull request from GHSA-g3wg-6mcf-8jj6
+
+* Issue #5451 - Improving temp directory creation.
+
++ Using new Files.createTempDirectory() instead
+  of nonsense around File.createTempFile()
+
+Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
+
+* Fixes #5451 - Restoring File.deleteOnExit
+---
+ .../jetty/webapp/WebInfConfiguration.java     | 20 +++++++------------
+ 1 file changed, 7 insertions(+), 13 deletions(-)
+
+diff --git a/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java
+index b94f788..f39432d 100644
+--- a/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java
++++ b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java
+@@ -24,6 +24,8 @@ import java.net.URI;
+ import java.net.URISyntaxException;
+ import java.net.URL;
+ import java.net.URLClassLoader;
++import java.nio.file.Files;
++import java.nio.file.Path;
+ import java.util.ArrayList;
+ import java.util.Arrays;
+ import java.util.List;
+@@ -384,14 +386,10 @@ public class WebInfConfiguration extends AbstractConfiguration
+     @Override
+     public void cloneConfigure(WebAppContext template, WebAppContext context) throws Exception
+     {
+-        File tmpDir=File.createTempFile(WebInfConfiguration.getCanonicalNameForWebAppTmpDir(context),"",template.getTempDirectory().getParentFile());
+-        if (tmpDir.exists())
+-        {
+-            IO.delete(tmpDir);
+-        }
+-        tmpDir.mkdir();
+-        tmpDir.deleteOnExit();
+-        context.setTempDirectory(tmpDir);
++        Path tmpDir = Files.createTempDirectory(template.getTempDirectory().getParentFile().toPath(), WebInfConfiguration.getCanonicalNameForWebAppTmpDir(context));
++	File tmpDirAsFile = tmpDir.toFile();
++	tmpDirAsFile.deleteOnExit();
++	context.setTempDirectory(tmpDirAsFile);
+     }
+ 
+ 
+@@ -522,11 +520,7 @@ public class WebInfConfiguration extends AbstractConfiguration
+         else
+         {
+             //ensure file will always be unique by appending random digits
+-            tmpDir = File.createTempFile(temp, ".dir", parent);
+-            //delete the file that was created
+-            tmpDir.delete();
+-            //and make a directory of the same name
+-            tmpDir.mkdirs();
++            tmpDir = Files.createTempDirectory(parent.toPath(), temp).toFile();
+         }
+         configureTempDirectory(tmpDir, context);
+ 
+-- 
+2.23.0
+

jetty.spec

@@ -12,15 +12,16 @@
 %bcond_with     jp_minimal
 Name:                jetty
 Version:             9.4.15
-Release:             4
+Release:             5
 Summary:             Java Webserver and Servlet Container
-License:             ASL 2.0 or EPL-1.0
+License:             ASL 2.0 or EPL-1.0 or EPL-2.0
 URL:                 http://www.eclipse.org/jetty/
 Source0:             https://github.com/eclipse/%{name}.project/archive/%{name}-%{version}%{addver}.tar.gz
 Source1:             jetty.sh
 Source3:             jetty.logrotate
 Source5:             %{name}.service
 Source6:             LICENSE-MIT
+Patch0:              CVE-2020-27216.patch
 BuildRequires:       maven-local mvn(javax.servlet:javax.servlet-api)
 BuildRequires:       mvn(org.apache.felix:maven-bundle-plugin)
 BuildRequires:       mvn(org.apache.maven.plugins:maven-shade-plugin)
@@ -779,6 +780,9 @@ exit 0
 %license LICENSE NOTICE.txt LICENSE-MIT
 
 %changelog
+* Mon Feb 8 2021 zhanghua <zhanghua40@huawei.com> - 9.4.15-5
+- fix CVE-2020-27216
+
 * Tue Nov 10 2020 wangyue <wangyue92@huawei.com> - 9.4.15-4
 - Change dependence: replace jetty-alpn with openjdk-1.8.0