Hi.

Why isn't the site's temp directory not used?
Or why can't we change our images' temp directory?

You can now upload any file you like and it gets in the temp dir...
This dir is accessible by the web and thus pretty dangerous...

For the sitewide temp dir, I've chosen a temp dir that isn't accessible trough the web...

Another solution could be that you provide a .htaccess file to protect the image directories...

Comments

ednique’s picture

ednique commented

Common... anyone???
this one is critical...

drewish’s picture

drewish commented
Version: 4.7.x-1.x-dev » 5.x-1.x-dev

the site's temp directory isn't used because it makes it much harder to do previews. this is something that should be addressed. at the very least any non-image files should be deleted immediately after they're spotted rather than waiting for the cron job to do it.

walkah’s picture

walkah commented
Status: Active » Fixed

I've just committed a patch to prevent non-image files from being copied to the temp space - this fixes the issue:

http://drupal.org/cvs?commit=59186

However, the reason for a separate scratch space is as drewish suggests : for previewing images during the node submission process - this temp dir is where image.module creates it's preview thumbnails, etc. Hence the reason for not using drupal's tmp dir setting.

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)