URL:
<http://savannah.gnu.org/support/?109422>
Summary: Temporary upload (/register/upload.php) can
overwrite another user's file if filename is the same
Project: Savannah Administration
Submitted by: drw
Submitted on: Mon 27 Nov 2017 08:36:16 PM UTC
Category: Savannah trackers - bugs, tasks, etc.
Priority: 5 - Normal
Severity: 6 - Security
Status: None
Assigned to: None
Originator Email:
Operating System: GNU/Linux
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
_Problem_
Uploading a file via /register/upload.php will overwrite a file of the same
name in $GLOBALS['sys_upload_dir'] (on mine /var/www/submissions_uploads/).
I have reproduced this on my system (details below) with two different users,
each uploading a file with the same filename but different contents. I checked
that the file's size and contents in /var/www/submissions_uploads/ had changed
between the two uploads.
_Potential Solutions_
Checking online, PHP's move_uploaded_file() apparently will overwrite files.
Perhaps check whether a file already exists of the same name, and change the
name of the newly uploaded file (perhaps add a unique identifier). Inform the
user of the changed filename (obviously).
_My System and Savane Version_
savane version: git commit af1d2bb2918e48bc1d8c5df244872566f9f81ec7 (Thu Sep
28 10:54:57 2017 +0000)
I am running savane in a docker (version 1.6.2) container on my Debian Jessie
machine. The docker container is based on a Debian Jessie image. Otherwise,
setup was taken from
https://savannah.gnu.org/maintenance/RunningSavaneLocally/ (my MySQL server
runs on another local docker container).
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?109422>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
