[mp_file] Security issue?
Korchkidu - October 3, 2009 - 15:42
| Project: | Ubercart Marketplace |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Jump to:
Description
Hi,
When a user uploads a file when creating a file product, it is first moved to the Drupal file directory. After the form submission, it then moved to a "private" directory for security reasons. But before the user actually submit the form, it is publicly available, no? If yes, I there a simple way to force uploading the file in the private final directory directly?
Best regards.
K.
#1
It is temporarily available publicly, but per the recommendation (hopefully noted somewhere in docs), if you make the filefield upload directory some very long randomly named subdirectory of /files, you get relatively good security (because no one will be able to guess the subdirectory name).