Artem Smotrakov created FILEUPLOAD-298:
------------------------------------------
Summary: Don't use temp directory by default for storing uploaded
files
Key: FILEUPLOAD-298
URL: https://issues.apache.org/jira/browse/FILEUPLOAD-298
Project: Commons FileUpload
Issue Type: Improvement
Reporter: Artem Smotrakov
By default, DiskFileItem stores uploaded files in the directory defined by
java.io.tmpdir system property which creates a weakness described in
CVE-2013-0248.
[https://nvd.nist.gov/vuln/detail/CVE-2013-0248]
The patch for CVE-2013-0248 just updates the docs with a note that the
setRepository() method must be used in case of untrusted environment.
[https://github.com/apache/commons-fileupload/commit/f874563307c1159ac634df67509d9859bca6ddb9]
I am wondering if it would be better to use user.dir or user.home system
properties instead of java.io.tmpdir:
* Normally only the user which started the application can write to user.home
* It seems to be more likely that user.dir is not publicly writable
I am attaching a draft patch which updates DiskFileItem to use a subdirectory
under user.dir although user.home looks to be a better option from security
perspective.
If no objections, I will finalize the patch and create a pull request.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
