UmbracoFileSystemProviders.Azure icon indicating copy to clipboard operation
UmbracoFileSystemProviders.Azure copied to clipboard

Published 20 hours ago verified publisher icon umbraco-community

Umbraco Forms file uploads go to insecure location

Open sussexrick opened this issue 7 years ago • 10 comments

This is not an issue with this project, and I've logged it as a problem with Umbraco Forms (http://issues.umbraco.org/issue/CON-1454).

However, since we use this project as our IFileSystem for media I've made some changes to our fork that support redirecting Umbraco Forms uploads to a separate container, which can be private. I need to update tests and documentation and then push it.

It's a workaround that won't apply to everyone so I don't know if you'll want to bring it into the main project, but I can submit a PR if you want me to?

sussexrick avatar Nov 22 '17 17:11 sussexrick

@caterwomtious interesting so Forms uploads to the standard media folder? This would be an issue even if UmbracoFileSystemProviders.Azure wasn't in use?

Jeavon avatar Nov 22 '17 18:11 Jeavon

Yes, without UmbracoFileSystemProviders.Azure they just go to /media/forms/uploads on disk. I tested that first, then realised that because we're using UmbracoFileSystemProviders.Azure I had a way to work around it.

sussexrick avatar Nov 23 '17 10:11 sussexrick

Neils has just said on Our that they'll prioritise this for the next Forms version.

sussexrick avatar Nov 27 '17 11:11 sussexrick

Is there any news?

CasperTDK avatar Oct 16 '18 12:10 CasperTDK

Nope. The next version of Forms has been and gone and it wasn't fixed. I've logged it again on the new tracker,and created a NuGet package, Escc.Umbraco.Forms.Security, which includes an updated FileSystemProvider which routes forms uploads to a separate folder that can be secured properly (but that's for files on disk, not blob storage).

https://github.com/east-sussex-county-council/Escc.Umbraco.Forms https://www.nuget.org/packages?q=Escc.Umbraco.Forms

sussexrick avatar Oct 16 '18 12:10 sussexrick

@sussexrick thanks a lot for the update, I wanted to be sure I didn't miss anything. Yeah it is a great package but we need to use it together with azure. We will inform our clients of current status

CasperTDK avatar Oct 16 '18 13:10 CasperTDK

I also have a fork of this project with a similar workaround which you're welcome to use. I build from the 'escc' branch which includes other changes and publish to our private NuGet feed, but the 'umbraco-forms' branch should be just the base project plus the workaround for this issue. We're using it without problems.

sussexrick avatar Oct 16 '18 13:10 sussexrick

@sussexrick but your patch also prevents back office users to access the files, correct?

CasperTDK avatar Oct 16 '18 14:10 CasperTDK

No, it redirects back office requests via something (a web API IIRC) that checks they're authenticated.

sussexrick avatar Oct 16 '18 14:10 sussexrick

I may be missing something here but in our case we just add a location entry to the web.config to deny access to the umbraco forms upload location. This also denies access when the Azure file system provider is used.

AstuteMediaDev avatar May 01 '19 12:05 AstuteMediaDev