[mp_file] Security issue?

Korchkidu - October 3, 2009 - 15:42
Project:Ubercart Marketplace
Version:6.x-1.x-dev
Component:Code
Category:feature request
Priority:normal
Assigned:Unassigned
Status:active
Description

Hi,

When a user uploads a file when creating a file product, it is first moved to the Drupal file directory. After the form submission, it then moved to a "private" directory for security reasons. But before the user actually submit the form, it is publicly available, no? If yes, I there a simple way to force uploading the file in the private final directory directly?

Best regards.
K.

#1

Turgrid - October 7, 2009 - 17:38

It is temporarily available publicly, but per the recommendation (hopefully noted somewhere in docs), if you make the filefield upload directory some very long randomly named subdirectory of /files, you get relatively good security (because no one will be able to guess the subdirectory name).

 
 

Drupal is a registered trademark of Dries Buytaert.