commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Artem Smotrakov (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (FILEUPLOAD-298) Don't use temp directory by default for storing uploaded files
Date Mon, 08 Apr 2019 11:44:00 GMT

    [ https://issues.apache.org/jira/browse/FILEUPLOAD-298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16812286#comment-16812286
] 

Artem Smotrakov edited comment on FILEUPLOAD-298 at 4/8/19 11:43 AM:
---------------------------------------------------------------------

One thing we need to think about is that uploaded files have to be stored outside webroot.
The directory to which files are uploaded should be outside of the website’s public directory,
so that the attackers cannot execute the file via a website URL.

Normally an application should be configured to use a separate directory for webroot. It
may happen that webroot is under user.dir or user.home. It should not be a problem if uploaded
files are stored to a subdirectory under user.dir or user.home (unless there is another vulnerability
which allows to write files outside that directory).


was (Author: asmotrakov):
One thing we need to think about is that uploaded files have to be stored outside webroot.
The directory to which files are uploaded should be outside of the website’s public directory,
so that the attackers cannot execute the file via a website URL.

> Don't use temp directory by default for storing uploaded files
> --------------------------------------------------------------
>
>                 Key: FILEUPLOAD-298
>                 URL: https://issues.apache.org/jira/browse/FILEUPLOAD-298
>             Project: Commons FileUpload
>          Issue Type: Improvement
>            Reporter: Artem Smotrakov
>            Priority: Major
>         Attachments: use_app_work_directory_v1.patch
>
>
> By default, DiskFileItem stores uploaded files in the directory defined by java.io.tmpdir
system property which creates a weakness described in CVE-2013-0248.
> [https://nvd.nist.gov/vuln/detail/CVE-2013-0248]
> The patch for CVE-2013-0248 just updates the docs with a note that the setRepository()
method must be used in case of untrusted environment.
> [https://github.com/apache/commons-fileupload/commit/f874563307c1159ac634df67509d9859bca6ddb9]
> I am wondering if it would be better to use user.dir or user.home system properties instead
of java.io.tmpdir:
>  * Normally only the user which started the application can write to user.home
>  * It seems to be more likely that user.dir is not publicly writable
> I am attaching a draft patch which updates DiskFileItem to use a subdirectory under user.dir
although user.home looks to be a better option from security perspective.
> If no objections, I will finalize the patch and create a pull request.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message