You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by ma...@apache.org on 2013/03/06 11:34:47 UTC
svn commit: r1453273 - in /commons/proper/fileupload/trunk/src:
main/java/org/apache/commons/fileupload/disk/DiskFileItemFactory.java
site/xdoc/using.xml
Author: markt
Date: Wed Mar 6 10:34:47 2013
New Revision: 1453273
URL: http://svn.apache.org/r1453273
Log:
Make clear that a secure configuration with local, untrusted users requires that a repository is configured.
This is CVE-2013-0248
Modified:
commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItemFactory.java
commons/proper/fileupload/trunk/src/site/xdoc/using.xml
Modified: commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItemFactory.java
URL: http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItemFactory.java?rev=1453273&r1=1453272&r2=1453273&view=diff
==============================================================================
--- commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItemFactory.java (original)
+++ commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItemFactory.java Wed Mar 6 10:34:47 2013
@@ -32,12 +32,23 @@ import org.apache.commons.io.FileCleanin
* created.</p>
*
* <p>If not otherwise configured, the default configuration values are as
- * follows:
+ * follows:</p>
* <ul>
* <li>Size threshold is 10KB.</li>
* <li>Repository is the system default temp directory, as returned by
* <code>System.getProperty("java.io.tmpdir")</code>.</li>
* </ul>
+ * <p>
+ * <b>NOTE</b>: Files are created in the system default temp directory with
+ * predictable names. This means that a local attacker with write access to that
+ * directory can perform a TOUTOC attack to replace any uploaded file with a
+ * file of the attackers choice. The implications of this will depend on how the
+ * uploaded file is used but could be significant. When using this
+ * implementation in an environment with local, untrusted users,
+ * {@link #setRepository(File)} MUST be used to configure a repository location
+ * that is not publicly writable. In a Servlet container the location identified
+ * by the ServletContext attribute <code>javax.servlet.context.tempdir</code>
+ * may be used.
* </p>
*
* <p>Temporary files, which are created for file items, should be
Modified: commons/proper/fileupload/trunk/src/site/xdoc/using.xml
URL: http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/site/xdoc/using.xml?rev=1453273&r1=1453272&r2=1453273&view=diff
==============================================================================
--- commons/proper/fileupload/trunk/src/site/xdoc/using.xml (original)
+++ commons/proper/fileupload/trunk/src/site/xdoc/using.xml Wed Mar 6 10:34:47 2013
@@ -145,6 +145,12 @@ boolean isMultipart = ServletFileUpload.
<source><![CDATA[// Create a factory for disk-based file items
FileItemFactory factory = new DiskFileItemFactory();
+// Configure a repository (to ensure a secure temp location is used)
+ServletContext servletContext = this.getServletConfig().getServletContext();
+File repository = (File) servletContext.getAttribute(
+ "javax.servlet.context.tempdir");
+factory.setRepository(repository);
+
// Create a new file upload handler
ServletFileUpload upload = new ServletFileUpload(factory);