commons-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1453273 - in /commons/proper/fileupload/trunk/src: main/java/org/apache/commons/fileupload/disk/DiskFileItemFactory.java site/xdoc/using.xml
Date Wed, 06 Mar 2013 10:34:47 GMT
Author: markt
Date: Wed Mar  6 10:34:47 2013
New Revision: 1453273

URL: http://svn.apache.org/r1453273
Log:
Make clear that a secure configuration with local, untrusted users requires that a repository
is configured.
This is CVE-2013-0248

Modified:
    commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItemFactory.java
    commons/proper/fileupload/trunk/src/site/xdoc/using.xml

Modified: commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItemFactory.java
URL: http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItemFactory.java?rev=1453273&r1=1453272&r2=1453273&view=diff
==============================================================================
--- commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItemFactory.java
(original)
+++ commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItemFactory.java
Wed Mar  6 10:34:47 2013
@@ -32,12 +32,23 @@ import org.apache.commons.io.FileCleanin
  * created.</p>
  *
  * <p>If not otherwise configured, the default configuration values are as
- * follows:
+ * follows:</p>
  * <ul>
  *   <li>Size threshold is 10KB.</li>
  *   <li>Repository is the system default temp directory, as returned by
  *       <code>System.getProperty("java.io.tmpdir")</code>.</li>
  * </ul>
+ * <p>
+ * <b>NOTE</b>: Files are created in the system default temp directory with
+ * predictable names. This means that a local attacker with write access to that
+ * directory can perform a TOUTOC attack to replace any uploaded file with a
+ * file of the attackers choice. The implications of this will depend on how the
+ * uploaded file is used but could be significant. When using this
+ * implementation in an environment with local, untrusted users,
+ * {@link #setRepository(File)} MUST be used to configure a repository location
+ * that is not publicly writable. In a Servlet container the location identified
+ * by the ServletContext attribute <code>javax.servlet.context.tempdir</code>
+ * may be used.
  * </p>
  *
  * <p>Temporary files, which are created for file items, should be

Modified: commons/proper/fileupload/trunk/src/site/xdoc/using.xml
URL: http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/site/xdoc/using.xml?rev=1453273&r1=1453272&r2=1453273&view=diff
==============================================================================
--- commons/proper/fileupload/trunk/src/site/xdoc/using.xml (original)
+++ commons/proper/fileupload/trunk/src/site/xdoc/using.xml Wed Mar  6 10:34:47 2013
@@ -145,6 +145,12 @@ boolean isMultipart = ServletFileUpload.
 <source><![CDATA[// Create a factory for disk-based file items
 FileItemFactory factory = new DiskFileItemFactory();
 
+// Configure a repository (to ensure a secure temp location is used)
+ServletContext servletContext = this.getServletConfig().getServletContext();
+File repository = (File) servletContext.getAttribute(
+        "javax.servlet.context.tempdir");
+factory.setRepository(repository);
+
 // Create a new file upload handler
 ServletFileUpload upload = new ServletFileUpload(factory);
 



Mime
View raw message