Details
-
Improvement
-
Resolution: Done
-
Medium
-
3.2.2
-
None
-
None
Description
LegacyPathGenerator uses a less than ideal way of generating unpredictable filenames:
https://github.com/ezsystems/ezplatform-kernel/blob/c1750540a0adf09b3242266fc32937bdcc3424fe/eZ/Publish/Core/FieldType/BinaryBase/PathGenerator/LegacyPathGenerator.php#L20
It's an md5 hash of a uniqid prefixed by a microtime float. Code scanners report the md5 usage as a potential security vulnerability. It isn't in this case, but the whole construction is needlessly complicated.
Note that microtime(true) doesn't give microsecond accuracy by default because it's limited by PHP's float precision, see https://jira.ez.no/browse/EZP-30381. Again, that's not a security problem the way it's used here, but it is misleading: It's easier to predict than it looks like.
It is important that filenames are hard to predict in cases where web server permissions are not ideally configured. If the web server allows direct access to binaryfile content, then hard to guess filenames is the only thing preventing download of files that might be supposed to be protected by read policies. This case is not very predictable, but the code smells of bad practices. We should simply use random_bytes() instead.
Attachments
Issue Links
- testing discovered
-
EZP-32224 Console error occurs when deleting file from ezbinaryfile field
- Closed