Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-83347

Unauthorised users who make multipart requests have this data written to disk momentarily

XMLWordPrintable

      Issue Summary

      When a multipart request is made to a Confluence server, the multipart data is usually saved to a temporary directory prior to determining whether a user is authorised to access that URL.

      This is due to both application and library (WebWork/Struts) design where permission checks occur based on Action mappings which are determined after the request is parsed to disk.

      Additionally, there is not currently a layer to determined whether multipart requests are valid/necessary for that specific URL.

      In practice, these files are mostly short-lived as they are deleted almost immediately after they are written to disk if permission checks fail.

      In Confluence 7.x, it only affects URLs served by the WebWork servlet.

      In Confluence 8.x, it affects all URLs filtered by the StrutsPrepareFilter except those specifically excluded by struts.action.excludePattern in struts.xml.

      Steps to Reproduce

      1. As an unauthorised user, make a request with multipart data to mostly any URL
        (or a URL ending in .action for Confluence 7.x)

      Expected Results

      No server disk writes

      Actual Results

      A file is written to disk momentarily then deleted very quickly

      Workaround

      Not known

          Form Name

            [CONFSERVER-83347] Unauthorised users who make multipart requests have this data written to disk momentarily

            Kusal Kithul-Godage added a comment -

            rli@atlassian.com I'd need reproduction steps to check as I'm not aware of this being possible

            Kusal Kithul-Godage added a comment - rli@atlassian.com I'd need reproduction steps to check as I'm not aware of this being possible

            Aakash Jain added a comment -

            A fix for this issue is available in Confluence Server and Data Center 7.19.19.
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            Aakash Jain added a comment - A fix for this issue is available in Confluence Server and Data Center 7.19.19. Upgrade now or check out the Release Notes to see what other issues are resolved.

            Jordan Anslow added a comment -

            A fix for this issue is available in Confluence Server and Data Center 8.5.5.
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            Jordan Anslow added a comment - A fix for this issue is available in Confluence Server and Data Center 8.5.5. Upgrade now or check out the Release Notes to see what other issues are resolved.

            James Whitehead added a comment -

            A fix for this issue is available in Confluence Data Center 8.7.1.
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            James Whitehead added a comment - A fix for this issue is available in Confluence Data Center 8.7.1. Upgrade now or check out the Release Notes to see what other issues are resolved.

              6ce45665ee6c Anoop Singh (Inactive)
              854eef6f5746 Kusal Kithul-Godage
              Affected customers:
              1 This affects my team
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: