[
https://issues.apache.org/jira/browse/FILEUPLOAD-298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16812286#comment-16812286
]
Artem Smotrakov commented on FILEUPLOAD-298:
--------------------------------------------
One thing we need to think about is that uploaded files have to be stored
outside webroot. The directory to which files are uploaded should be outside of
the website’s public directory, so that the attackers cannot execute the file
via a website URL.
> Don't use temp directory by default for storing uploaded files
> --------------------------------------------------------------
>
> Key: FILEUPLOAD-298
> URL: https://issues.apache.org/jira/browse/FILEUPLOAD-298
> Project: Commons FileUpload
> Issue Type: Improvement
> Reporter: Artem Smotrakov
> Priority: Major
> Attachments: use_app_work_directory_v1.patch
>
>
> By default, DiskFileItem stores uploaded files in the directory defined by
> java.io.tmpdir system property which creates a weakness described in
> CVE-2013-0248.
> [https://nvd.nist.gov/vuln/detail/CVE-2013-0248]
> The patch for CVE-2013-0248 just updates the docs with a note that the
> setRepository() method must be used in case of untrusted environment.
> [https://github.com/apache/commons-fileupload/commit/f874563307c1159ac634df67509d9859bca6ddb9]
> I am wondering if it would be better to use user.dir or user.home system
> properties instead of java.io.tmpdir:
> * Normally only the user which started the application can write to user.home
> * It seems to be more likely that user.dir is not publicly writable
> I am attaching a draft patch which updates DiskFileItem to use a subdirectory
> under user.dir although user.home looks to be a better option from security
> perspective.
> If no objections, I will finalize the patch and create a pull request.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
