Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
When executing a full export
/admin/config/development/configuration/full/export
the temporary file "TEMPDIR/config.tar.gz" does not have a unique filename and remains on the server.
michael@michael:/tmp$ ls -l conf*
-rw-r--r-- 1 michael www-data 33801 Okt 13 10:12 config.tar.gz
-rw-r--r-- 1 michael michael 33801 Okt 13 10:12 config-SITENAME-dev-bk-2015-10-13-08-12.tar.gz
Proposed resolution
The temporary filename should be unique, so that the filename cannot be known ahead of time, and two Drupal8-installation on the same server will not collide.
User interface changes
None
Comments
Comment #4
pameeela CreditAttribution: pameeela commentedI have discussed the implications of this with @larowlan, who consulted with the security team. They agreed that because /tmp should be outside the web root and inaccessible, it only is a security issue if the server is misconfigured.
However it would be an improvement if the filename were at least unique and could not be guessed.
Updated the issue based on this.
I think the resolution should be to use a unique name each time - and the suggestion should be to make sure your temp file path is configured to be somewhere that is a) outside the web root and b) unique to the site - so e.g. /tmp on shared hosting is a bad idea