Uploaded image for project: 'Maven Wrapper'
  1. Maven Wrapper
  2. MWRAPPER-50

Verify checksum when downloading maven-wrapper.jar  

    XMLWordPrintableJSON

Details

    Description

      Hi,

      Sorry if I just cannot find it

      but it seems the checksum is not checked of the `maven-wrapper.jar` downloaded here:

      https://github.com/apache/maven-wrapper/blob/efba2bde13feeabfb42e9dc120e8a35c127baf0d/maven-wrapper-distribution/src/resources/mvnw#L207

       

      Checksum of the downloaded file should be checked before executing it to avoid a remote code execution attack on the developer machine.

       

      Attachments

        Issue Links

          is related to

          New Feature - A new feature of the product, which has yet to be developed. MWRAPPER-79 Automatically add sha256 to maven-wrapper.properties

          • Major - Major loss of function.
          • Open

          New Feature - A new feature of the product, which has yet to be developed. MWRAPPER-75 Allow for sha256 checksum verification of downloaded artifacts.

          • Normal -
          • Closed

          Activity

            People

              Unassigned Unassigned
              premek Premek Vyhnal
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated: