[
https://issues.apache.org/jira/browse/FILEUPLOAD-298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16812286#comment-16812286
]
Artem Smotrakov edited comment on FILEUPLOAD-298 at 4/8/19 11:43 AM:
---------------------------------------------------------------------
One thing we need to think about is that uploaded files have to be stored
outside webroot. The directory to which files are uploaded should be outside of
the website’s public directory, so that the attackers cannot execute the file
via a website URL.
Normally an application should be configured to use a separate directory for
webroot. It may happen that webroot is under user.dir or user.home. It should
not be a problem if uploaded files are stored to a subdirectory under user.dir
or user.home (unless there is another vulnerability which allows to write files
outside that directory).
was (Author: asmotrakov):
One thing we need to think about is that uploaded files have to be stored
outside webroot. The directory to which files are uploaded should be outside of
the website’s public directory, so that the attackers cannot execute the file
via a website URL.
> Don't use temp directory by default for storing uploaded files
> --------------------------------------------------------------
>
> Key: FILEUPLOAD-298
> URL: https://issues.apache.org/jira/browse/FILEUPLOAD-298
> Project: Commons FileUpload
> Issue Type: Improvement
> Reporter: Artem Smotrakov
> Priority: Major
> Attachments: use_app_work_directory_v1.patch
>
>
> By default, DiskFileItem stores uploaded files in the directory defined by
> java.io.tmpdir system property which creates a weakness described in
> CVE-2013-0248.
> [https://nvd.nist.gov/vuln/detail/CVE-2013-0248]
> The patch for CVE-2013-0248 just updates the docs with a note that the
> setRepository() method must be used in case of untrusted environment.
> [https://github.com/apache/commons-fileupload/commit/f874563307c1159ac634df67509d9859bca6ddb9]
> I am wondering if it would be better to use user.dir or user.home system
> properties instead of java.io.tmpdir:
> * Normally only the user which started the application can write to user.home
> * It seems to be more likely that user.dir is not publicly writable
> I am attaching a draft patch which updates DiskFileItem to use a subdirectory
> under user.dir although user.home looks to be a better option from security
> perspective.
> If no objections, I will finalize the patch and create a pull request.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
