th555555 opened a new pull request, #26545: URL: https://github.com/apache/flink/pull/26545
This PR addresses a critical security vulnerability (Command Injection) in the extractTarFileUsingTar method of CompressionUtils. Modified extractTarFileUsingTar to use a stream-based approach that passes file content through stdin instead of passing file paths to shell commands This approach eliminates the possibility of command injection via malicious file paths Maintains the same functionality while improving security References https://www.cve.org/CVERecord?id=CVE-2022-25168 https://github.com/apache/hadoop/commit/cae749b076f35f0be13a926ee8cfbb7ce4402746 This change is a trivial rework / code cleanup without any test coverage. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@flink.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
