Security fix
- Fixes
sbt.io.IO.withTemporaryFile
not limiting access on Unix-like systems in io#344/zinc#1185 by @eed3si9n
IO.withTemporaryFile fix
sbt 1.8.3 fixes sbt.io.IO.withTemporaryFile
etc not limiting access on Unix-like systems. Prior to this patch release, some functions were using java.io.File.createTempFile
, which does not set strict file permissions, as opposed to the NIO-equivalent that does.
This means that on a shared Unix-like systems, build user or plugin's use of sbt.io.IO.withTemporaryFile
etc would have exposed the information to other users.
This issue was reported by Oleksandr Zolotko at IBM, and was fixed by Eugene Yokota (@eed3si9n) in io#344/zinc#1185.
Other updates
sbt 1.8.3 backports Zinc and IO fixes from 1.9.0-RC2 as well.
- Fixes Zinc incremental compilation looping infinitely zinc#1182 by @CarstonSchilds
- Fixes spurious whitespace in the runner script by @keynmol in #7134
- Fixes NullPointerError under
-Vdebug
by @som-snytt in zinc#1141 - Avoids deprecated
java.net.URL
constructor by @xuwei-k in io#341 - Updates to Swoval 2.1.10 by @eatkins in io#343
- Notifies
ClassFileManager
fromIncOptions
inIncremental.prune
by @lrytz in zinc1148 - Adds
FileFilter.nothing
andFileFilter.everything
by @mdedetrich in io#340