My experience is that the uploaded file is (as Jonathan says) stored outside the web root in upload_tmp_dir until the node is saved by the module handling the upload. From what you describe you must have private files enabled, so unless your web server has a web-accessible tmp dir I think you're fairly good there.
Looking at file_save_upload() it's true that move_uploaded_file() happens before the file goes into the DB, but it may be that the file is protected (default for private files) until the node is saved (and published) later on in node_save(). You might have already established good cause for your client's unease of mind, so: have you already proved to yourself that the file is accessible for an attacker between file upload and node save? If not then you should test this for your own peace of mind :) One way would be to add sleep(30) to an implementation of hook_nodeapi() for a module which runs just before the upload module (or whatever handles your node's file attachment). You should then have time to verify that the uploaded file isn't accessible at this point (I think it's in upload_tmp_dir here). Alter your custom module's weight to run just after upload (etc) and verify that the file is protected once it's moved into place (even while the node is still not finished saving, because private files won't share a file attached to an unsaved/unpublished node). That doesn't cover the fraction of time after move_uploaded_file() is called in upload module. Throw a sleep() in there too and check that to be sure. Would be interested to hear your results - but if you do find a security issue, please don't post it here! See http://drupal.org/node/101494 instead. On 12/04/2011, at 9:50 PM, "Jonathan Hunt" <[email protected]> wrote: > On Tue, April 12, 2011 9:33 pm, Paul Bennett wrote: >> I have an app with a content type that allows file attachments. The >> content type is set to only allow users of a certain role to view these >> attachments, which works fine after the node has been saved (the file >> inherits the nodes permissions). >> >> The way the drupal (6) upload module works however, is to load the file to >> the server and then only apply the node or role level permissions after >> the node is saved. >> This means that between the time the file is loaded to the server and the >> node is saved the file is completely unsecured, and my client is extremely >> security conscious. >> >> Does anyone have any suggestions for how to secure the file so it can't be >> accessed directly before the node is saved? >> >> (I've looked at the standard private upload option but the file is still >> only secured after the node is saved) > > If you are using private files and have the file dir outside the webroot, > then there is no means for an external user to reach the file. The file > will only be reachable when saved, when Drupal can build a path to the > file. > > Uploads are normally places in a tmp dir, then transferred to the file > dir, but external web users should not have access to tmp. > > Regards > Jonathan > -- > http://huntdesign.co.nz > > > -- > NZ PHP Users Group: http://groups.google.com/group/nzphpug > To post, send email to [email protected] > To unsubscribe, send email to > [email protected] -- NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [email protected]
