This topic is: resolved
- This topic has 2 replies, 2 voices, and was last updated 6 years, 11 months ago by .
Viewing 3 posts - 1 through 3 (of 3 total)
Viewing 3 posts - 1 through 3 (of 3 total)
- You must be logged in to reply to this topic.
Home › Forums › Quform WordPress › Uploaded files and security
Hi,
I’ve discovered that when we delete a form’s submission with an uploaded file, that file is never deleted and it doesn’t show in Media gallery, so we have no way to delete it (except file with a file deletion on the server). So, it’s not quite RGPD compliant.
Another thing : access to files aren’t protected to non-connected user, and filenames are preserved on upload so it can be guessed, and in fact, the files may also be indexed by search browser if robots.txt isn’t configured to block this stuff (and it’s worst if Apache is configured with +Indexes…)
Examples of search with Google:
inurl:iphorm ext:pdf
inurl:iphorm ext:xlsx
inurl:quform ext:pdf
…
For our platform, I’ve mitigated this with a strict robots.txt file, robot noindex meta and Apache “-Indexes”.
For restricted access to files, i’ve just found this stuff but I’ve not tested :
https://github.com/orbisius/orbisius-wp-media-protector
For files deletion, I’m searching a solution !
You don't have permission to view this content. Please log in or register and then verify your purchases to gain access.
Thank for the reply! I’ve protected the upload folder with Apache authentication.
The delete file option will be great!