We have moved to GitHub Issues
Created by Rick Mason 22 Nov 2017, 17:24:07 Updated by Rick Mason 06 Sep 2018, 13:19:59Tags: Prioritize
Relates to: CON-797
Relates to: CON-1183
Your report will have a greater chance of being addressed if you can give us clear steps to reproduce the issue, please answer the following questions in as much detail as possible:
What did you do?
Create a form in Umbraco Forms 6.0.5 with a file upload type. Fill in the form by uploading a file and clicking submit.
What did you expect to happen?
The file could contain private and confidential information or personal data, so I would expect it to be accessible only to people with permissions to view data submitted to that form.
Most likely I would expect it to upload to another IFileSystem configured in FileSystemProviders.config with a different alias.
What actually happened?
It was uploaded to the standard media folders via the IFileSystem. This location is typically available to anyone who can view the entire website, which on a public website means anyone with an Internet connection. It has a URL that's difficult to guess, but that's not sufficient protection for personal or private data.
What version of Umbraco are you using?
What version of Umbraco Forms or Contour are you using?
I wonder if we can not just create a custom FileUpload control. See: http://www.skrift.io/articles/archive/extending-umbraco-forms/
I do not know if this will work with workflows such as sending an receipt by email (with the file attached)
Should be ootb for GDPR compliance.
I've published a NuGet package, Escc.Umbraco.Forms.Security, which includes an updated FileSystemProvider which routes forms uploads to a separate folder that can be secured properly.
Backwards Compatible: False
Affected versions: 6.0.5
Due in version: