Ticket #282 (closed defect: fixed)

Opened 3 years ago

Last modified 3 years ago

fileFieldElement stores uploaded files in wide-open directory

Reported by: work@… Owned by: work@…
Priority: critical Milestone: Should have
Component: Core Functionality Version: 0.6.3
Keywords: Cc:
Product: Operating system:
URL: Hardware:

Description

The fileFieldElement allows ajax-upload of a file, but stores the files it upload in web-app/fileuploads which is a directory which is accessible from the web (e.g.  http://ci.gscf.nmcdsp.org/fileuploads/subject importer_jildaur.xls)

This is a potential security flaw!

In order of preference, the following solutions should be applied:

1. store file uploads in a folder that is not accessible through the web (e.g. /tmp or a temp folder if you're running windoze)
2. if impossible (which I doubt) make sure that the folder is not accessible through the web (e.g. via url mappings or .htaccess)

Change History

Changed 3 years ago by robert@…

  • owner changed from robert@… to work@…
  • status changed from new to assigned

Changed 3 years ago by work@…

  • owner changed from work@… to robert@…

While I understand your current position, I am not really in the mood of bugfixing your bugs... I have enough work on my own plate... Better discuss this with your superior...

Changed 3 years ago by work@…

  • component changed from Unknown to Core Functionality

Changed 3 years ago by robert@…

  • owner changed from robert@… to work@…

The upload directory is now configurable with the option uploads.uploadDir. See Config.groovy, r1508 and grails-plugins r122

Changed 3 years ago by robert@…

BTW: to function properly, this fix probably needs an update of the gdt plugin. See also #288.

Changed 3 years ago by work@…

  • status changed from assigned to closed
  • resolution set to fixed

GDT updated in r1509 and  gdt r128

Note: See TracTickets for help on using tickets.