Uploaded files and security

TopicsUploaded files and security

Home Forums Quform WordPress Uploaded files and security

This topic is: resolved
Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • September 4, 2018 at 12:47 pm #26926
    Ifremer
    Participant

    Hi,

    I’ve discovered that when we delete a form’s submission with an uploaded file, that file is never deleted and it doesn’t show in Media gallery, so we have no way to delete it (except file with a file deletion on the server). So, it’s not quite RGPD compliant.

    Another thing : access to files aren’t protected to non-connected user, and filenames are preserved on upload so it can be guessed, and in fact, the files may also be indexed by search browser if robots.txt isn’t configured to block this stuff (and it’s worst if Apache is configured with +Indexes…)

    Examples of search with Google:
    inurl:iphorm ext:pdf
    inurl:iphorm ext:xlsx
    inurl:quform ext:pdf

    For our platform, I’ve mitigated this with a strict robots.txt file, robot noindex meta and Apache “-Indexes”.

    For restricted access to files, i’ve just found this stuff but I’ve not tested :
    https://github.com/orbisius/orbisius-wp-media-protector

    For files deletion, I’m searching a solution !

    September 6, 2018 at 4:42 pm #26935
    Ally
    Support Staff

    You don't have permission to view this content. Please log in or register and then verify your purchases to gain access.

    September 7, 2018 at 7:27 am #26940
    Ifremer
    Participant

    Thank for the reply! I’ve protected the upload folder with Apache authentication.

    The delete file option will be great!

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.
Be inspired. © 2025 ThemeCatcher Ltd. 20-22 Wenlock Road, London, England, N1 7GU | Company No. 08120384 | Built with React | Privacy Policy