Skip to content

MCR-3606 Possible loss of metadata due to insecure file writing processes#2809

Merged
Mewel merged 5 commits into2023.06.xfrom
MCR-3606-Insecure_file_writes_lead_to_lost_metadata
Mar 25, 2026
Merged

MCR-3606 Possible loss of metadata due to insecure file writing processes#2809
Mewel merged 5 commits into2023.06.xfrom
MCR-3606-Insecure_file_writes_lead_to_lost_metadata

Conversation

@golsch
Copy link
Copy Markdown
Member

@golsch golsch commented Feb 10, 2026
edited
Loading

Link to jira.

Pull Request Checklist (Author)

Please go through the following checklist before assigning the PR for review:

Ticket & Documentation

  • The issue in the ticket is clearly described and the solution is documented.
  • Design decisions (if any) are explained.
  • The ticket references the correct source and target branches.
  • The fixed-version is correctly set in the ticket and matches the PR's target branch (main).

Feature & Improvement Specific Checks

  • Instructions on how to test or use the feature are included or linked (e.g. to documentation).
  • For UI changes: before & after screenshots are attached.
  • New features or migrations are documented.
  • Does this change affect existing applications, data, or configurations?
    • Yes: Is a migration required? If yes, describe it.
    • Breaking change is marked in the commit message.

Bugfix-Specific Checks

  • Affected version is listed in the ticket.
  • Minimal code changes were made (no refactoring).
  • This PR truly fixes only the reported bug.
  • No breaking changes are introduced.
  • A relevant test was added (if feasible).

Testing

  • I have tested the changes locally.
  • The feature behaves as described in the ticket.
  • Were existing tests modified?
    • Yes: explain the changes for reviewers.

MCR Conventions & Metadata

  • MCR naming conventions are followed
  • If the public API has changed:
    • Old API is deprecated or a migration is documented.
    • If not, no action needed.
  • Java license headers are added where necessary.
  • Javadoc is written for non-self-explanatory classes/methods (Clean Code).
  • All configuration options are documented in Javadoc and mycore.properties.
  • No default properties are hardcoded — all set via mycore.properties.

Multi-Repo Considerations

  • Is an equivalent PR in MIR required?
    • If yes, is it already created?

@golsch golsch requested review from fluetze and yagee-de February 10, 2026 10:21
fluetze
fluetze previously requested changes Feb 10, 2026
View reviewed changes
Comment thread mycore-base/src/main/java/org/mycore/common/content/MCRContent.java
@golsch golsch requested a review from fluetze March 3, 2026 13:46
@golsch golsch force-pushed the MCR-3606-Insecure_file_writes_lead_to_lost_metadata branch from 22cbded to 0539743 Compare March 24, 2026 13:40
@golsch golsch force-pushed the MCR-3606-Insecure_file_writes_lead_to_lost_metadata branch from 0539743 to bbde12e Compare March 24, 2026 13:41
@Mewel Mewel removed request for fluetze and yagee-de March 25, 2026 13:07
@Mewel Mewel dismissed fluetze’s stale review March 25, 2026 13:07

PR talked through on mycore meeting

@Mewel Mewel merged commit 1d426a6 into 2023.06.x Mar 25, 2026
3 checks passed
@Mewel Mewel deleted the MCR-3606-Insecure_file_writes_lead_to_lost_metadata branch March 25, 2026 13:08
yagee-de added a commit that referenced this pull request Apr 17, 2026
@yagee-de
Merge branch '2023.06.x' into 2024.06.x
ef66a42 
* 2023.06.x:
  MCR-3678 web cli leaks janitor role (#2910)
  MCR-3660 MCRPath.normalize() incorrectly removes leading segments in relative paths (#2893)
  MCR-3659 use i18n key for missing write access in MCRUploadServerException
  MCR-3656 fix Saxon format-time on Unix throws DateTimeException
  MCR-3606 Possible loss of metadata due to insecure file writing processes (#2809)
yagee-de added a commit that referenced this pull request Apr 17, 2026
@yagee-de
Merge branch '2024.06.x' into 2025.06.x
6b58f10 
* 2024.06.x:
  MCR-3685 PI job user compatibility mode causes NPE if user is configured w/o provider prefix (#2915)
  MCR-3678 web cli leaks janitor role (#2910)
  MCR-3664 use correct method to check if calue class is annotated with @singleton (#2897)
  MCR-3660 MCRPath.normalize() incorrectly removes leading segments in relative paths (#2893)
  MCR-3659 use i18n key for missing write access in MCRUploadServerException
  MCR-3658 Fixed NullPointerExceptions in MCRMergeTool and MCRORCIDTransformerHelper (#2887)
  MCR-3656 fix Saxon format-time on Unix throws DateTimeException
  MCR-3606 Possible loss of metadata due to insecure file writing processes (#2809)
yagee-de added a commit that referenced this pull request Apr 17, 2026
@yagee-de
Merge branch '2025.06.x' into 2025.12.x
ae2c22f 
* 2025.06.x:
  MCR-3685 PI job user compatibility mode causes NPE if user is configured w/o provider prefix (#2915)
  MCR-3678 web cli leaks janitor role (#2910)
  MCR-3664 use correct method to check if calue class is annotated with @singleton (#2897)
  MCR-3663 Transaction handling in MCRJerseyExceptionMapper (#2894)
  MCR-3660 MCRPath.normalize() incorrectly removes leading segments in relative paths (#2893)
  MCR-3659 use i18n key for missing write access in MCRUploadServerException
  MCR-3658 Fixed NullPointerExceptions in MCRMergeTool and MCRORCIDTransformerHelper (#2887)
  MCR-3656 fix Saxon format-time on Unix throws DateTimeException
  MCR-3606 Possible loss of metadata due to insecure file writing processes (#2809)
yagee-de added a commit that referenced this pull request Apr 17, 2026
@yagee-de
Merge branch '2025.12.x'
a890b91 
* 2025.12.x:
  MCR-3685 PI job user compatibility mode causes NPE if user is configured w/o provider prefix (#2915)
  MCR-3675 use expanded object to retrieve list of derivate IDs (#2906)
  MCR-3678 web cli leaks janitor role (#2910)
  MCR-3674 fix not such element exception (#2904)
  use getOwner() instead of getXlinkHref() (#2901)
  MCR-3664 use correct method to check if calue class is annotated with @singleton (#2897)
  MCR-3663 Transaction handling in MCRJerseyExceptionMapper (#2894)
  MCR-3660 MCRPath.normalize() incorrectly removes leading segments in relative paths (#2893)
  MCR-3659 use i18n key for missing write access in MCRUploadServerException
  MCR-3658 Fixed NullPointerExceptions in MCRMergeTool and MCRORCIDTransformerHelper (#2887)
  MCR-3656 fix Saxon format-time on Unix throws DateTimeException
  MCR-3606 Possible loss of metadata due to insecure file writing processes (#2809)
  MCR-3201 fix texteditor ask for basic auth (#2876)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mewel Mewel Mewel approved these changes

@fluetze fluetze fluetze left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@golsch @Mewel @fluetze