umbraco-community / UmbracoFileSystemProviders.Azure

:cloud: An Azure Blob Storage IFileSystem provider for Umbraco
96 stars 67 forks source link

Container default access level possible security issue for Umbraco Forms #138

Closed AstuteMediaDev closed 5 years ago

AstuteMediaDev commented 5 years ago

Related to #67 and #98

there is a hard-coded use of BlobContainerPublicAccessType.Blob when creating the container.

Umbraco Forms uploads files to /media/forms and we only just realised the default container access is public so anyone could potentially access sensitive user uploads if they were aware of the storage account url.

JimBobSquarePants commented 5 years ago

We have other options now. It's not hard coded since #64

It's also documented.

https://github.com/JimBobSquarePants/UmbracoFileSystemProviders.Azure#usage

Protecting the media by default changes the default behaviour from the file based service and requires ImageProcessor.Web customization.