randomize filenames for file uploads

Description

Lucee currently uses a sequential filename counter for file uploads into the temp directory

i.e tmp-1.upload

https://github.com/lucee/Lucee/blob/5.3/core/src/main/java/lucee/runtime/type/scope/FormImpl.java#L233

it would be safer to use a random guid for these files, as it's a bit of a potential security risk as they are somewhat predictable

also the current counter isn't thread safe, but a file counter per request would be

something like
form-file-1-#request-guid#.upload
form-file-2-#request-guid#.upload

that way it would be still easy for humans to understand

https://dev.lucee.org/t/security-measures-regarding-file-uploads/6895/20

Environment

None

Activity

Show:
Pothys - MitrahSoft
May 6, 2020, 7:24 AM

I've checked this ticket and added a fix for this issue.

Pull request: https://github.com/lucee/Lucee/pull/945

Zac Spitzer
June 22, 2020, 11:37 AM

As part of LDEV-2903 the generation of these file names is synchronised https://github.com/lucee/Lucee/blob/5.3/core/src/main/java/lucee/runtime/type/scope/FormImpl.java#L232

Assignee

Michael Offner

Reporter

Zac Spitzer

Priority

New

Labels

Fix versions

None

Affects versions

Configure