benkeen
commented
5 years ago Hey @rfc2822, thanks very much for your post!
Yes, the default upload folder is just [form tools root]/upload. This is just a convenient out-the-box location that guarantees to exist after a Form Tools installation is set up. But like you said, that location is publicly accessible and isn't secure.
(You mentioned "auto-index? I'm not aware of what that is... that's a server setting that somehow overrides the default index.html file? Interesting...)
But yes, what you mentioned - using a script to determine whether the user has access to the file - is certainly an option, but in many cases people won't want that. It's often used just to house public data. It sounds like what's really needed is an option to enable a more secure setting for certain scenarios.
That said, people still have options beyond what you mentioned:
- they can use the filename renaming option to totally customize the uploaded filenames and make them unlikely to be guessed, e.g. including unix timestamps or something (see: https://docs.formtools.org/modules/field_type_file/filenames/)
- change the upload folder to be outside the webroot. This would be the most effective solution to prevent people ever accessing the content from the web-browser. However I think that would make it a one-way trip. They couldn't download it again via a URL of course.
But this is certainly something worth looking at further. Great points!
rfc2822
Hello,
When evaluating Form Tools I found that uploaded files are put to /uploads and then served statically (without access control). The file names are kept as sent by the browser, so they can be guessed easier than UUIDs or something like that. So, those uploaded files can be accessed
by
I have found real installations in the Web where private uploads were publicy accessible.
To prevent this, files should probably not be served statically, but only over a script which checks whether the current user is allowed to download the respective file.