From c33550f703f5d1d7dd71ad2992d79a5e5532ce2c Mon Sep 17 00:00:00 2001
From: Looly <loolly@aliyun.com>
Date: Mon, 15 May 2023 20:48:02 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8DFileUtil.createTempFile?=
 =?UTF-8?q?=E5=8F=AF=E8=83=BD=E5=AF=BC=E8=87=B4=E7=9A=84=E6=BC=8F=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 CHANGELOG.md                                  |  1 +
 .../main/java/cn/hutool/core/io/FileUtil.java |  4 ++-
 .../java/cn/hutool/core/io/file/PathUtil.java | 28 +++++++++++++++++++
 3 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5b9959bf7..bc301d812 100755
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,7 @@
 * 【http  】      修复HttpDownloader.downloadFile 方法缺少static问题（issue#I6Z8VU@Gitee）
 * 【core  】      修复NumberUtil mul 传入null的string入参报错问题（issue#I70JB3@Gitee）
 * 【core  】      修复ZipReader.get调用reset异常问题（issue#3099@Github）
+* 【core  】      修复FileUtil.createTempFile可能导致的漏洞（issue#3103@Github）
 
 -------------------------------------------------------------------------------------------------------------
 # 5.8.18 (2023-04-27)
diff --git a/hutool-core/src/main/java/cn/hutool/core/io/FileUtil.java b/hutool-core/src/main/java/cn/hutool/core/io/FileUtil.java
index 622244b68..46ca92879 100755
--- a/hutool-core/src/main/java/cn/hutool/core/io/FileUtil.java
+++ b/hutool-core/src/main/java/cn/hutool/core/io/FileUtil.java
@@ -1004,7 +1004,9 @@ public class FileUtil extends PathUtil {
 		int exceptionsCount = 0;
 		while (true) {
 			try {
-				File file = File.createTempFile(prefix, suffix, mkdir(dir)).getCanonicalFile();
+				// https://github.com/dromara/hutool/issues/3103
+				//File file = File.createTempFile(prefix, suffix, mkdir(dir)).getCanonicalFile();
+				final File file = PathUtil.createTempFile(prefix, suffix, null == dir ? null : dir.toPath()).toFile().getCanonicalFile();
 				if (isReCreat) {
 					//noinspection ResultOfMethodCallIgnored
 					file.delete();
diff --git a/hutool-core/src/main/java/cn/hutool/core/io/file/PathUtil.java b/hutool-core/src/main/java/cn/hutool/core/io/file/PathUtil.java
index 93d10586e..faf823094 100644
--- a/hutool-core/src/main/java/cn/hutool/core/io/file/PathUtil.java
+++ b/hutool-core/src/main/java/cn/hutool/core/io/file/PathUtil.java
@@ -668,6 +668,34 @@ public class PathUtil {
 		return path.getFileName().toString();
 	}
 
+	/**
+	 * 创建临时文件<br>
+	 * 创建后的文件名为 prefix[Random].suffix From com.jodd.io.FileUtil
+	 *
+	 * @param prefix    前缀，至少3个字符
+	 * @param suffix    后缀，如果null则使用默认.tmp
+	 * @param dir       临时文件创建的所在目录
+	 * @return 临时文件
+	 * @throws IORuntimeException IO异常
+	 * @since 6.0.0
+	 */
+	public static Path createTempFile(final String prefix, final String suffix, final Path dir) throws IORuntimeException {
+		int exceptionsCount = 0;
+		while (true) {
+			try {
+				if(null == dir){
+					return Files.createTempFile(prefix, suffix);
+				}else{
+					return Files.createTempFile(mkdir(dir), prefix, suffix);
+				}
+			} catch (final IOException ioex) { // fixes java.io.WinNTFileSystem.createFileExclusively access denied
+				if (++exceptionsCount >= 50) {
+					throw new IORuntimeException(ioex);
+				}
+			}
+		}
+	}
+
 	/**
 	 * 删除文件或空目录，不追踪软链
 	 *