commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Artem Smotrakov (JIRA)" <>
Subject [jira] [Created] (FILEUPLOAD-298) Don't use temp directory by default for storing uploaded files
Date Mon, 08 Apr 2019 09:48:00 GMT
Artem Smotrakov created FILEUPLOAD-298:

             Summary: Don't use temp directory by default for storing uploaded files
                 Key: FILEUPLOAD-298
             Project: Commons FileUpload
          Issue Type: Improvement
            Reporter: Artem Smotrakov

By default, DiskFileItem stores uploaded files in the directory defined by
system property which creates a weakness described in CVE-2013-0248.


The patch for CVE-2013-0248 just updates the docs with a note that the setRepository() method
must be used in case of untrusted environment.


I am wondering if it would be better to use user.dir or user.home system properties instead
 * Normally only the user which started the application can write to user.home
 * It seems to be more likely that user.dir is not publicly writable

I am attaching a draft patch which updates DiskFileItem to use a subdirectory under user.dir
although user.home looks to be a better option from security perspective.

If no objections, I will finalize the patch and create a pull request.

This message was sent by Atlassian JIRA

View raw message