[
https://issues.apache.org/jira/browse/FILEUPLOAD-298?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jochen Wiedmann resolved FILEUPLOAD-298.
----------------------------------------
Resolution: Won't Fix
Rejected. There is no reasonable scenario, when the users home directory would
be a better default. Apart from that, nothing prevents you to use
setRepository(), or fix the value of java.io.tmpdir.
> Don't use temp directory by default for storing uploaded files
> --------------------------------------------------------------
>
> Key: FILEUPLOAD-298
> URL: https://issues.apache.org/jira/browse/FILEUPLOAD-298
> Project: Commons FileUpload
> Issue Type: Improvement
> Reporter: Artem Smotrakov
> Priority: Major
> Attachments: use_app_work_directory_v1.patch
>
>
> By default, DiskFileItem stores uploaded files in the directory defined by
> java.io.tmpdir system property which creates a weakness described in
> CVE-2013-0248.
> [https://nvd.nist.gov/vuln/detail/CVE-2013-0248]
> The patch for CVE-2013-0248 just updates the docs with a note that the
> setRepository() method must be used in case of untrusted environment.
> [https://github.com/apache/commons-fileupload/commit/f874563307c1159ac634df67509d9859bca6ddb9]
> I am wondering if it would be better to use user.dir or user.home system
> properties instead of java.io.tmpdir:
> * Normally only the user which started the application can write to user.home
> * It seems to be more likely that user.dir is not publicly writable
> I am attaching a draft patch which updates DiskFileItem to use a subdirectory
> under user.dir although user.home looks to be a better option from security
> perspective.
> If no objections, I will finalize the patch and create a pull request.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
