FilePond/front-end uploads: async uploads may pose security issue

[micschk]

It occurred to me that (especially in a front-end scenario) having a hidden field with just a file-id as a value poses a possible security issue as anyone could spoof the ID and attach/'upload' any (existing) file as his own.

I can think of two ways to prevent this;

• storing uploaded file-IDs into the session & checking upon attaching
• set the upload to be synchronous (upon form submit), so files get attached directly instead of via ID (not sure if this actually does prevent spoofing an ID though)

[lekoala]

Sure, this is why I didn't handle that so far :-)

In filepond sample backend, they generate a unique id so it's very unlikely so you can spoof existing files.

I don't like sessions in general because they expire, they lock php processes, etc. Probably using uuids instead should be more than enough.

I have a module doing that but it's not updated to SilverStripe 4 yet https://github.com/lekoala/silverstripe-uuid (it should be really straightforward to upgrade)

[lekoala]

just to let you know that I added the change on master, I'm using session and I think it works ok.