You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Artem Smotrakov (JIRA)" <ji...@apache.org> on 2019/04/08 11:44:00 UTC
[jira] [Comment Edited] (FILEUPLOAD-298) Don't use temp directory
by default for storing uploaded files
[ https://issues.apache.org/jira/browse/FILEUPLOAD-298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16812286#comment-16812286 ]
Artem Smotrakov edited comment on FILEUPLOAD-298 at 4/8/19 11:43 AM:
---------------------------------------------------------------------
One thing we need to think about is that uploaded files have to be stored outside webroot. The directory to which files are uploaded should be outside of the website’s public directory, so that the attackers cannot execute the file via a website URL.
Normally an application should be configured to use a separate directory for webroot. It may happen that webroot is under user.dir or user.home. It should not be a problem if uploaded files are stored to a subdirectory under user.dir or user.home (unless there is another vulnerability which allows to write files outside that directory).
was (Author: asmotrakov):
One thing we need to think about is that uploaded files have to be stored outside webroot. The directory to which files are uploaded should be outside of the website’s public directory, so that the attackers cannot execute the file via a website URL.
> Don't use temp directory by default for storing uploaded files
> --------------------------------------------------------------
>
> Key: FILEUPLOAD-298
> URL: https://issues.apache.org/jira/browse/FILEUPLOAD-298
> Project: Commons FileUpload
> Issue Type: Improvement
> Reporter: Artem Smotrakov
> Priority: Major
> Attachments: use_app_work_directory_v1.patch
>
>
> By default, DiskFileItem stores uploaded files in the directory defined by java.io.tmpdir system property which creates a weakness described in CVE-2013-0248.
> [https://nvd.nist.gov/vuln/detail/CVE-2013-0248]
> The patch for CVE-2013-0248 just updates the docs with a note that the setRepository() method must be used in case of untrusted environment.
> [https://github.com/apache/commons-fileupload/commit/f874563307c1159ac634df67509d9859bca6ddb9]
> I am wondering if it would be better to use user.dir or user.home system properties instead of java.io.tmpdir:
> * Normally only the user which started the application can write to user.home
> * It seems to be more likely that user.dir is not publicly writable
> I am attaching a draft patch which updates DiskFileItem to use a subdirectory under user.dir although user.home looks to be a better option from security perspective.
> If no objections, I will finalize the patch and create a pull request.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)