CON-1454 - File uploads go to insecure location

Created by Rick Mason 22 Nov 2017, 17:24:07 Updated by Rick Mason 06 Sep 2018, 13:19:59

Tags: Prioritize

Relates to: CON-797

Relates to: CON-1183

Your report will have a greater chance of being addressed if you can give us clear steps to reproduce the issue, please answer the following questions in as much detail as possible:

What did you do?

Create a form in Umbraco Forms 6.0.5 with a file upload type. Fill in the form by uploading a file and clicking submit.

What did you expect to happen?

The file could contain private and confidential information or personal data, so I would expect it to be accessible only to people with permissions to view data submitted to that form.

Most likely I would expect it to upload to another IFileSystem configured in FileSystemProviders.config with a different alias.

What actually happened?

It was uploaded to the standard media folders via the IFileSystem. This location is typically available to anyone who can view the entire website, which on a public website means anyone with an Internet connection. It has a URL that's difficult to guess, but that's not sufficient protection for personal or private data.

What version of Umbraco are you using?


What version of Umbraco Forms or Contour are you using?



Casper Thygesen 06 Dec 2017, 14:05:36

I wonder if we can not just create a custom FileUpload control. See:

I do not know if this will work with workflows such as sending an receipt by email (with the file attached)

DLi 23 May 2018, 14:09:02

Should be ootb for GDPR compliance.

Rick Mason 03 Aug 2018, 11:22:35

I've published a NuGet package, Escc.Umbraco.Forms.Security, which includes an updated FileSystemProvider which routes forms uploads to a separate folder that can be secured properly.

Rick Mason 06 Sep 2018, 13:19:59

On github as

Priority: Normal

Type: Bug

State: Submitted




Backwards Compatible: False

Fix Submitted:

Affected versions: 6.0.5

Due in version:


Story Points: