User uploaded files may be publicly available

Vote:
 

Hi,

Episerver Forms 4.25.0 restricts access to uploaded files by removing the "Everyone" role and leaving everything else as-is. If the instance has defined additional read access for Visitor Groups, Users or other Groups, these remain and allow the users to read the uploaded files without special privileges.

These users, especially "Anonymous" role, should not have any visibility to the uploaded files.

Is this an intentional feature or a security issue? I would be happy to find a more secure workaround to restrict the file access from all but the content editors.

Please see method 
EPiServer.Forms.Core.Internal.DataSubmissionService.GetOrCreateFolderForStoringFiles() in EPiServer.Forms.Core.dll for details.

#205001
Jun 25, 2019 14:52
Vote:
 

Hi,

Yes we do it intentionally. By default, uploaded files are not accessible by anonymous users. If you want only content editors have access right to uploaded files, remove all groups from Upload files folder except for content editors.  For flexibility, you can override method EPiServer.Forms.Core.Internal.DataSubmissionService.GetOrCreateFolderForStoringFiles().

#205058
Edited, Jun 27, 2019 11:31
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.