commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Artem Smotrakov (JIRA)" <j...@apache.org>
Subject [jira] [Created] (FILEUPLOAD-298) Don't use temp directory by default for storing uploaded files
Date Mon, 08 Apr 2019 09:48:00 GMT
Artem Smotrakov created FILEUPLOAD-298:
------------------------------------------

             Summary: Don't use temp directory by default for storing uploaded files
                 Key: FILEUPLOAD-298
                 URL: https://issues.apache.org/jira/browse/FILEUPLOAD-298
             Project: Commons FileUpload
          Issue Type: Improvement
            Reporter: Artem Smotrakov


By default, DiskFileItem stores uploaded files in the directory defined by java.io.tmpdir
system property which creates a weakness described in CVE-2013-0248.

[https://nvd.nist.gov/vuln/detail/CVE-2013-0248]

The patch for CVE-2013-0248 just updates the docs with a note that the setRepository() method
must be used in case of untrusted environment.

[https://github.com/apache/commons-fileupload/commit/f874563307c1159ac634df67509d9859bca6ddb9]

I am wondering if it would be better to use user.dir or user.home system properties instead
of java.io.tmpdir:
 * Normally only the user which started the application can write to user.home
 * It seems to be more likely that user.dir is not publicly writable

I am attaching a draft patch which updates DiskFileItem to use a subdirectory under user.dir
although user.home looks to be a better option from security perspective.

If no objections, I will finalize the patch and create a pull request.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message