temp directory usage insecure
ednique - October 10, 2006 - 13:57
| Project: | Image |
| Version: | 5.x-1.x-dev |
| Component: | image.module |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | closed |
Jump to:
Description
Hi.
Why isn't the site's temp directory not used?
Or why can't we change our images' temp directory?
You can now upload any file you like and it gets in the temp dir...
This dir is accessible by the web and thus pretty dangerous...
For the sitewide temp dir, I've chosen a temp dir that isn't accessible trough the web...
Another solution could be that you provide a .htaccess file to protect the image directories...
#1
Common... anyone???
this one is critical...
#2
the site's temp directory isn't used because it makes it much harder to do previews. this is something that should be addressed. at the very least any non-image files should be deleted immediately after they're spotted rather than waiting for the cron job to do it.
#3
I've just committed a patch to prevent non-image files from being copied to the temp space - this fixes the issue:
http://drupal.org/cvs?commit=59186
However, the reason for a separate scratch space is as drewish suggests : for previewing images during the node submission process - this temp dir is where image.module creates it's preview thumbnails, etc. Hence the reason for not using drupal's tmp dir setting.
#4