| Page Properties | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
At In-Portal all user uploaded files are stored in "/system/" folder, which accessible from the Web. This way an attacker can probe that folder to see which of files he/she is interested in is present to perform his attack.
...
The complete randomization is of course more secure solution, but in case, when uploaded files are not images (images can be found later by their thumbnail) this can be become a nightmare for users. Therefore partial randomization seems like a viable solution.
Solution
...
- add public "
\kUploadHelper::randomizeFilename($filename)" method, that will: - 0.5h- generate random 16 byte string using "
SecurityGenerator::generateBytes(8)" method call - inject it in here "
{file_name}_{random_string}.{file_extension}"
- generate random 16 byte string using "
- in the "
\kUploadHelper::getUploadedFilename" method wrap response with "\kUploadHelper::randomizeFilename" method call - 0.3h - in the "
\kUploadFormatter::_processRegularUploader" method, when file was uploaded (the error isUPLOAD_ERR_OK) but before any validation happens wrap "$value['name']" with "\kUploadHelper::randomizeFilename" method call - 0.2h
Quote: 1h*1.4=1.5h
Related Discussions
- /wiki/spaces/BUG/pages/4358309 (blocker)
...