Cool. Yeah, I would suggest we have it insert a UUID into the filename as well.
Just to reiterate. My concern is that if instead of uploading a file to an upload script, someone sent a post with a form parameter with the same name as the file parameter, but instead it had the name of a temp file. Having it make the name of the temp file extremely unpredictable would drastically mitigate it.
WEB-INF folder should be blocked by default on any servlet engine, but we add a .htacces file to WEB-INF and the lucee folder just in case. but the best is to configure the web config somewhere outside the webroot anyway.
But think it is a good idea to make the temp name random and synchronise the method.
Could someone raise a ticket for it?
Bugs filed
randomize filenames for file uploads
https://luceeserver.atlassian.net/browse/LDEV-2877
cffile makeunique filename isn’t synchronised
https://luceeserver.atlassian.net/browse/LDEV-2878
Awesome, thank you guys.
I’m use to having to fight with people over topics like this, where just a small change is needed, but people either don’t want to admit they’re wrong, or don’t want to have to go through the small effort of making the change. Always nice to see people take these things seriously.
As a matter of fact, I, as an usual cfml dev using Lucee, would like to thank YOU for taking your time and stating your point of view here. Your action will lead to security enhancement and all of us using Lucee will take advantage of your contribution. +1 for it being your first post here in our community. Much appreciated.
The generation of these temp upload file names is now thread safe and the related problem of the files being extracted again for each new thread has been resolved in 5.3.8.12
https://luceeserver.atlassian.net/browse/LDEV-2903
Additionally, a bug causing excessive memory usage for processing large file uploads has been also fixed
https://luceeserver.atlassian.net/browse/LDEV-2087
Happy uploading! Thanks @micstriit