New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Umbraco Forms file uploads go to insecure location #98
Comments
@caterwomtious interesting so Forms uploads to the standard media folder? This would be an issue even if UmbracoFileSystemProviders.Azure wasn't in use? |
Yes, without UmbracoFileSystemProviders.Azure they just go to /media/forms/uploads on disk. I tested that first, then realised that because we're using UmbracoFileSystemProviders.Azure I had a way to work around it. |
Neils has just said on Our that they'll prioritise this for the next Forms version. |
Is there any news? |
Nope. The next version of Forms has been and gone and it wasn't fixed. I've logged it again on the new tracker,and created a NuGet package, Escc.Umbraco.Forms.Security, which includes an updated FileSystemProvider which routes forms uploads to a separate folder that can be secured properly (but that's for files on disk, not blob storage). https://github.com/east-sussex-county-council/Escc.Umbraco.Forms |
@sussexrick thanks a lot for the update, I wanted to be sure I didn't miss anything. Yeah it is a great package but we need to use it together with azure. We will inform our clients of current status |
I also have a fork of this project with a similar workaround which you're welcome to use. I build from the 'escc' branch which includes other changes and publish to our private NuGet feed, but the 'umbraco-forms' branch should be just the base project plus the workaround for this issue. We're using it without problems. |
@sussexrick but your patch also prevents back office users to access the files, correct? |
No, it redirects back office requests via something (a web API IIRC) that checks they're authenticated. |
I may be missing something here but in our case we just add a location entry to the web.config to deny access to the umbraco forms upload location. This also denies access when the Azure file system provider is used. |
This is not an issue with this project, and I've logged it as a problem with Umbraco Forms (http://issues.umbraco.org/issue/CON-1454).
However, since we use this project as our IFileSystem for media I've made some changes to our fork that support redirecting Umbraco Forms uploads to a separate container, which can be private. I need to update tests and documentation and then push it.
It's a workaround that won't apply to everyone so I don't know if you'll want to bring it into the main project, but I can submit a PR if you want me to?
The text was updated successfully, but these errors were encountered: