Details
-
Bug
-
Resolution: Fixed
-
Medium
-
7.13.16, 7.19.8, 8.2.2
-
1
-
Severity 3 - Minor
-
Description
Issue Summary
When a multipart request is made to a Confluence server, the multipart data is usually saved to a temporary directory prior to determining whether a user is authorised to access that URL.
This is due to both application and library (WebWork/Struts) design where permission checks occur based on Action mappings which are determined after the request is parsed to disk.
Additionally, there is not currently a layer to determined whether multipart requests are valid/necessary for that specific URL.
In practice, these files are mostly short-lived as they are deleted almost immediately after they are written to disk if permission checks fail.
In Confluence 7.x, it only affects URLs served by the WebWork servlet.
In Confluence 8.x, it affects all URLs filtered by the StrutsPrepareFilter except those specifically excluded by struts.action.excludePattern in struts.xml.
Steps to Reproduce
- As an unauthorised user, make a request with multipart data to mostly any URL
(or a URL ending in .action for Confluence 7.x)
Expected Results
No server disk writes
Actual Results
A file is written to disk momentarily then deleted very quickly
Workaround
Not known