Problem/Motivation

I found that files that uploaded files are first uploaded to /tmp, once fully uploaded are then moved to the folder set in the $settings['file_temp_path'] variable and then are moved to the final destination (private or public). This is an insecure solution since /tmp is an insecure folder used by the system.

Steps to reproduce

  1. Create a node with a "file" type field.
  2. Upload a large file you can track.
  3. It will be first written to the system temp folder (usually /tmp), then moved to the Drupal $settings['file_temp_path'] location, and then to then to it's final destination.

Proposed resolution

Files should be uploaded directly to the $settings['file_temp_path'] location. This can be set as a secure folder under the "private" folder or some other secure location.

Issue fork drupal-3295216

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

ericyellin created an issue. See original summary.

cilefen’s picture

cilefen commented
Issue tags: -temporary folder, -file system, -media, -file upload, -Security +Security improvements

https://api.drupal.org/api/drupal/core%21lib%21Drupal%21Component%21File...

You can change upload_tmp_dir by modifying the PHP configuration value to harden if on shared hosting:

https://www.php.net/manual/en/ini.core.php#ini.upload-tmp-dir

Does that work for you?

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Category: Bug report » Support request
Issue tags: +Bug Smash Initiative

immaculatexavier made their first commit to this issue’s fork.

cilefen’s picture

cilefen commented
Status: Active » Postponed (maintainer needs more info)
cilefen’s picture

cilefen commented
Status: Postponed (maintainer needs more info) » Closed (outdated)

There have been no updates.