Problem/Motivation

When executing a full export
/admin/config/development/configuration/full/export
the temporary file "TEMPDIR/config.tar.gz" does not have a unique filename and remains on the server.

michael@michael:/tmp$ ls -l conf*
-rw-r--r-- 1 michael www-data 33801 Okt 13 10:12 config.tar.gz
-rw-r--r-- 1 michael michael  33801 Okt 13 10:12 config-SITENAME-dev-bk-2015-10-13-08-12.tar.gz

Proposed resolution

The temporary filename should be unique, so that the filename cannot be known ahead of time, and two Drupal8-installation on the same server will not collide.

User interface changes

None

Comments

mmbk created an issue. See original summary.

Version: 8.0.0-rc1 » 8.0.x-dev

Core issues are now filed against the dev versions where changes will be made. Document the specific release you are using in your issue comment. More information about choosing a version.

Version: 8.0.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Branches prior to 8.8.x are not supported, and Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

pameeela’s picture

pameeela CreditAttribution: pameeela commented
Title: temporary config.tar.gz not deleted » Temporary configuration download 'config.tar.gz' should have a unique file name
Category: Bug report » Task
Issue summary: View changes
Issue tags: -Configuration system +Bug Smash Initiative

I have discussed the implications of this with @larowlan, who consulted with the security team. They agreed that because /tmp should be outside the web root and inaccessible, it only is a security issue if the server is misconfigured.

However it would be an improvement if the filename were at least unique and could not be guessed.

Updated the issue based on this.

I think the resolution should be to use a unique name each time - and the suggestion should be to make sure your temp file path is configured to be somewhere that is a) outside the web root and b) unique to the site - so e.g. /tmp on shared hosting is a bad idea

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.