Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Umbraco Forms file uploads go to insecure location #98

Open
sussexrick opened this issue Nov 22, 2017 · 10 comments
Open

Umbraco Forms file uploads go to insecure location #98

sussexrick opened this issue Nov 22, 2017 · 10 comments

Comments

@sussexrick
Copy link

This is not an issue with this project, and I've logged it as a problem with Umbraco Forms (http://issues.umbraco.org/issue/CON-1454).

However, since we use this project as our IFileSystem for media I've made some changes to our fork that support redirecting Umbraco Forms uploads to a separate container, which can be private. I need to update tests and documentation and then push it.

It's a workaround that won't apply to everyone so I don't know if you'll want to bring it into the main project, but I can submit a PR if you want me to?
@Jeavon
Copy link
Collaborator

Jeavon commented Nov 22, 2017

@caterwomtious interesting so Forms uploads to the standard media folder? This would be an issue even if UmbracoFileSystemProviders.Azure wasn't in use?

@sussexrick
Copy link
Author

Yes, without UmbracoFileSystemProviders.Azure they just go to /media/forms/uploads on disk. I tested that first, then realised that because we're using UmbracoFileSystemProviders.Azure I had a way to work around it.

@sussexrick
Copy link
Author

Neils has just said on Our that they'll prioritise this for the next Forms version.

@CasperTDK
Copy link

Is there any news?

@sussexrick
Copy link
Author

Nope. The next version of Forms has been and gone and it wasn't fixed. I've logged it again on the new tracker,and created a NuGet package, Escc.Umbraco.Forms.Security, which includes an updated FileSystemProvider which routes forms uploads to a separate folder that can be secured properly (but that's for files on disk, not blob storage).

https://github.com/east-sussex-county-council/Escc.Umbraco.Forms
https://www.nuget.org/packages?q=Escc.Umbraco.Forms

@CasperTDK
Copy link

@sussexrick thanks a lot for the update, I wanted to be sure I didn't miss anything. Yeah it is a great package but we need to use it together with azure. We will inform our clients of current status

@sussexrick
Copy link
Author

I also have a fork of this project with a similar workaround which you're welcome to use. I build from the 'escc' branch which includes other changes and publish to our private NuGet feed, but the 'umbraco-forms' branch should be just the base project plus the workaround for this issue. We're using it without problems.

@CasperTDK
Copy link

@sussexrick but your patch also prevents back office users to access the files, correct?

@sussexrick
Copy link
Author

No, it redirects back office requests via something (a web API IIRC) that checks they're authenticated.

@gavinfaux gavinfaux mentioned this issue Oct 30, 2018
Closed
gavinfaux added a commit to gavinfaux/UmbracoFileSystemProviders.Azure that referenced this issue Oct 30, 2018
@gavinfaux
umbraco-community#98 workaround
2714021 
merge from east-sussex-county-council@0dad3b7
@gavinfaux gavinfaux mentioned this issue Nov 8, 2018
Closed
4 tasks
@AstuteMediaDev
Copy link

I may be missing something here but in our case we just add a location entry to the web.config to deny access to the umbraco forms upload location. This also denies access when the Azure file system provider is used.

@AstuteMediaDev AstuteMediaDev mentioned this issue May 1, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@CasperTDK @sussexrick @Jeavon @AstuteMediaDev