| Page Properties | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
At In-Portal all user uploaded files are stored in "/system/" folder, which accessible from the Web. This way an attacker can probe that folder to see which of files he/she is interested in is present to perform his attack.
...
The complete randomization is of course more secure solution, but in case, when uploaded files are not images (images can be found later by their thumbnail) this can be become a nightmare for users. Therefore partial randomization seems like a viable solution.
Solution
Append moderate length random string (e.g. 10 symbol long alpha-numeric string where letters can be case-sensitive) at the end of uploaded filename. This way "easy_to_guess_file.jpg" is transformed into "easy_to_guess_file_Aast46gsEd.jpg". Hash must be completely independent from uploaded filename (so that attacher can't generate it himself/herself) and should be random for each In-Portal install.
...
- add public "
\kUploadHelper::randomizeFilename($filename)" method, that will: - 0.5h- generate random 16 byte string using "
SecurityGenerator::generateBytes(8)" method call - inject it in here "
{file_name}_{random_string}.{file_extension}"
- generate random 16 byte string using "
- in the "
\kUploadHelper::getUploadedFilename" method wrap response with "\kUploadHelper::randomizeFilename" method call - 0.3h - in the "
\kUploadFormatter::_processRegularUploader" method, when file was uploaded (the error isUPLOAD_ERR_OK) but before any validation happens wrap "$value['name']" with "\kUploadHelper::randomizeFilename" method call - 0.2h
Quote: 1h*1.4=1.5h
Related Discussions
- /wiki/spaces/BUG/pages/4358309 (blocker)
Related Tasks
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|