Ticket #282 (closed defect: fixed)

Opened 5 years ago

Last modified 5 years ago

fileFieldElement stores uploaded files in wide-open directory

Reported by: work@… Owned by: work@…
Priority: critical Milestone: Should have
Component: Core Functionality Version: 0.6.3
Keywords: Cc:
Hardware: Operating system:
Product: URL:

Description

The fileFieldElement allows ajax-upload of a file, but stores the files it upload in web-app/fileuploads which is a directory which is accessible from the web (e.g. http://ci.gscf.nmcdsp.org/fileuploads/subject importer_jildaur.xls)

This is a potential security flaw!

In order of preference, the following solutions should be applied:

  1. store file uploads in a folder that is not accessible through the web (e.g. /tmp or a temp folder if you're running windoze)
  2. if impossible (which I doubt) make sure that the folder is not accessible through the web (e.g. via url mappings or .htaccess)

Change History

comment:1 Changed 5 years ago by robert@…

  • Status changed from new to assigned
  • Owner changed from robert@… to work@…

comment:2 Changed 5 years ago by work@…

  • Owner changed from work@… to robert@…

While I understand your current position, I am not really in the mood of bugfixing your bugs... I have enough work on my own plate... Better discuss this with your superior...

comment:3 Changed 5 years ago by work@…

  • Component changed from Unknown to Core Functionality

comment:4 Changed 5 years ago by robert@…

  • Owner changed from robert@… to work@…

The upload directory is now configurable with the option uploads.uploadDir. See Config.groovy, r1508 and grails-plugins r122

comment:5 Changed 5 years ago by robert@…

BTW: to function properly, this fix probably needs an update of the gdt plugin. See also #288.

comment:6 Changed 5 years ago by work@…

  • Status changed from assigned to closed
  • Resolution set to fixed

GDT updated in r1509 and gdt r128

Note: See TracTickets for help on using tickets.