search

globaleaks / globaleaks-whistleblowing-software

GlobaLeaks is a free and open-source whistleblowing software enabling anyone to easily set up and maintain a secure reporting platform.
https://www.globaleaks.org
Other
1.25k stars 274 forks source link

Improve robustness of handling of file uploaded, in presence of DB error #451

Open evilaliv3 opened 11 years ago

evilaliv3 commented 11 years ago

with respect to https://github.com/globaleaks/GlobaLeaks/issues/450, currently the file is saved in the final location with a non-atomic action with the respective db registration.

if the db registration file fails the file remain saved on the server undefinitely with also no way to track the situation; this effectively represent a security issue as confidential data could potentially remain leaked on the filesystem.

proper fix involve this actions: 1) the file must be saved with a "_temp" suffix 2) the db transaction must do the file rename action internally and as latest action. 3) in case of transaction failures the transaction must delete the temporary file.

2) and 3) involve an enhancement of the @transaction decorator to permit the handler to register an _on_commit() and an _on_rollback() function.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

fpietrosanti commented 11 years ago

I think that this should be done in a different way, with a cleanup batch.

That's because the "file writing" could also became an operation that take some time, such as loading over a remote filesystem.

So the operations on file are better to be done in a way that's resilient against network timeout

vecna commented 11 years ago

@evilaliv3 I understand your concern, but at the moment the anomaly detection of uploaded-but-not-recorded files, is handled by admin with the overview interface.

The file not associated to no one Tip, are exposed with a dedicated visualization. can be enhanced to be visualized as "danger", can be put a "delete" button, and can be something in the hand of the admin without bothering us.

the usage of a remote filesystem, or distributed fs and stuff, are quite possible in future configuration and having database-fs mixed operation together. still, we've not yet tested globaleaks with slow network filesystem, we can postpone this ticket and this analysis on conjunction with FS tests ?

fpietrosanti commented 10 years ago

is this fixed now?

evilaliv3 commented 10 years ago

a lot of progress has been done but nothing in the direction of what i've opened the ticket for.

let's keep it open so that i will go over this when i'll have the time.