[jira] [Commented] (FILEUPLOAD-298) Don't use temp directory by default for storing uploaded files
[ https://issues.apache.org/jira/browse/FILEUPLOAD-298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16813585#comment-16813585 ] Jochen Wiedmann commented on FILEUPLOAD-298: Given the fact, that DiskFileItem creates the temp file with the name "upload_%s_%s.tmp" (See DiskFileItem.getTempFile), where the first %s is a UUID, and the second %s is, basically, an integer value (neither UUID, nor integer value, are visible to the client)), I fail to see the problem. > Don't use temp directory by default for storing uploaded files > -- > > Key: FILEUPLOAD-298 > URL: https://issues.apache.org/jira/browse/FILEUPLOAD-298 > Project: Commons FileUpload > Issue Type: Improvement >Reporter: Artem Smotrakov >Priority: Major > Attachments: use_app_work_directory_v1.patch > > > By default, DiskFileItem stores uploaded files in the directory defined by > java.io.tmpdir system property which creates a weakness described in > CVE-2013-0248. > [https://nvd.nist.gov/vuln/detail/CVE-2013-0248] > The patch for CVE-2013-0248 just updates the docs with a note that the > setRepository() method must be used in case of untrusted environment. > [https://github.com/apache/commons-fileupload/commit/f874563307c1159ac634df67509d9859bca6ddb9] > I am wondering if it would be better to use user.dir or user.home system > properties instead of java.io.tmpdir: > * Normally only the user which started the application can write to user.home > * It seems to be more likely that user.dir is not publicly writable > I am attaching a draft patch which updates DiskFileItem to use a subdirectory > under user.dir although user.home looks to be a better option from security > perspective. > If no objections, I will finalize the patch and create a pull request. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (FILEUPLOAD-298) Don't use temp directory by default for storing uploaded files
[ https://issues.apache.org/jira/browse/FILEUPLOAD-298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16813363#comment-16813363 ] Jochen Wiedmann commented on FILEUPLOAD-298: [~asmotrakov]: Agreed. On the other hand, that's what we have setRepository() for. I won't enter the discussion, what's a sensible value for that, or not. In particular not, while we are discussing sensible default values. Because, that's quite a different story. > Don't use temp directory by default for storing uploaded files > -- > > Key: FILEUPLOAD-298 > URL: https://issues.apache.org/jira/browse/FILEUPLOAD-298 > Project: Commons FileUpload > Issue Type: Improvement >Reporter: Artem Smotrakov >Priority: Major > Attachments: use_app_work_directory_v1.patch > > > By default, DiskFileItem stores uploaded files in the directory defined by > java.io.tmpdir system property which creates a weakness described in > CVE-2013-0248. > [https://nvd.nist.gov/vuln/detail/CVE-2013-0248] > The patch for CVE-2013-0248 just updates the docs with a note that the > setRepository() method must be used in case of untrusted environment. > [https://github.com/apache/commons-fileupload/commit/f874563307c1159ac634df67509d9859bca6ddb9] > I am wondering if it would be better to use user.dir or user.home system > properties instead of java.io.tmpdir: > * Normally only the user which started the application can write to user.home > * It seems to be more likely that user.dir is not publicly writable > I am attaching a draft patch which updates DiskFileItem to use a subdirectory > under user.dir although user.home looks to be a better option from security > perspective. > If no objections, I will finalize the patch and create a pull request. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (FILEUPLOAD-298) Don't use temp directory by default for storing uploaded files
[ https://issues.apache.org/jira/browse/FILEUPLOAD-298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16812286#comment-16812286 ] Artem Smotrakov commented on FILEUPLOAD-298: One thing we need to think about is that uploaded files have to be stored outside webroot. The directory to which files are uploaded should be outside of the website’s public directory, so that the attackers cannot execute the file via a website URL. > Don't use temp directory by default for storing uploaded files > -- > > Key: FILEUPLOAD-298 > URL: https://issues.apache.org/jira/browse/FILEUPLOAD-298 > Project: Commons FileUpload > Issue Type: Improvement >Reporter: Artem Smotrakov >Priority: Major > Attachments: use_app_work_directory_v1.patch > > > By default, DiskFileItem stores uploaded files in the directory defined by > java.io.tmpdir system property which creates a weakness described in > CVE-2013-0248. > [https://nvd.nist.gov/vuln/detail/CVE-2013-0248] > The patch for CVE-2013-0248 just updates the docs with a note that the > setRepository() method must be used in case of untrusted environment. > [https://github.com/apache/commons-fileupload/commit/f874563307c1159ac634df67509d9859bca6ddb9] > I am wondering if it would be better to use user.dir or user.home system > properties instead of java.io.tmpdir: > * Normally only the user which started the application can write to user.home > * It seems to be more likely that user.dir is not publicly writable > I am attaching a draft patch which updates DiskFileItem to use a subdirectory > under user.dir although user.home looks to be a better option from security > perspective. > If no objections, I will finalize the patch and create a pull request. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
