You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Artem Smotrakov (JIRA)" <ji...@apache.org> on 2019/04/08 09:49:00 UTC
[jira] [Updated] (FILEUPLOAD-298) Don't use temp directory by
default for storing uploaded files
[ https://issues.apache.org/jira/browse/FILEUPLOAD-298?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Artem Smotrakov updated FILEUPLOAD-298:
---------------------------------------
Attachment: use_app_work_directory_v1.patch
> Don't use temp directory by default for storing uploaded files
> --------------------------------------------------------------
>
> Key: FILEUPLOAD-298
> URL: https://issues.apache.org/jira/browse/FILEUPLOAD-298
> Project: Commons FileUpload
> Issue Type: Improvement
> Reporter: Artem Smotrakov
> Priority: Major
> Attachments: use_app_work_directory_v1.patch
>
>
> By default, DiskFileItem stores uploaded files in the directory defined by java.io.tmpdir system property which creates a weakness described in CVE-2013-0248.
> [https://nvd.nist.gov/vuln/detail/CVE-2013-0248]
> The patch for CVE-2013-0248 just updates the docs with a note that the setRepository() method must be used in case of untrusted environment.
> [https://github.com/apache/commons-fileupload/commit/f874563307c1159ac634df67509d9859bca6ddb9]
> I am wondering if it would be better to use user.dir or user.home system properties instead of java.io.tmpdir:
> * Normally only the user which started the application can write to user.home
> * It seems to be more likely that user.dir is not publicly writable
> I am attaching a draft patch which updates DiskFileItem to use a subdirectory under user.dir although user.home looks to be a better option from security perspective.
> If no objections, I will finalize the patch and create a pull request.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)