Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Anonymous users often can't use plupload because they don't have any session information, so the token checking code fails. Not sure what the best workaround for this is, maybe storing a placeholder in the session when you first build the element?
Comment | File | Size | Author |
---|---|---|---|
#12 | 1426088_plupload_anonymous_uploads_12.patch | 575 bytes | slashrsm |
#1 | 1426088_plupload_anonymous_uploads.patch | 649 bytes | slashrsm |
Comments
Comment #1
slashrsm CreditAttribution: slashrsm commentedWe could just start session when plupload loads for anonymous users too. I tested and it works for me...
What do you think?
Comment #2
jain_vivek CreditAttribution: jain_vivek commentedI tried passing $skip_anonymous to TRUE value while calling api drupal_valid_token in plupload_upload_access. This skips the check for validating token for anonymous users. So in plupload.module changing
to
is working for me. Please try it.
Comment #3
slashrsm CreditAttribution: slashrsm commentedThat approach looks better, as we do not create session for anonymous users.
I was thinking if we would create another permission like "use plupload" and add it to upload handler menu item. This would allow admin to fine-control access settings. I think allowing every anonymous user to upload files by default is not really a good idea.
Switching to needs work, as we need to prepare patch with your solution.
Comment #4
slashrsm CreditAttribution: slashrsm commentedI was thinking about this and I realized that this solution actually creates a security issue. Since it does not check tokens for anonymous users it allows them to upload things on server even when they are not supposed to. That's not OK. I think we have to create session and check for token anyway.
Permission itself would not fix this. I also realized that we should not create permission as this is an API module. It should be a responsibility of modules implementing this.
Comment #5
bdk CreditAttribution: bdk commentedI implemented the skip_anonymous on my site and it seems to be working fine.
Can you describe the security issue here? If anonymous users are allowed to upload, then it seems to me the token check is unnecessary.
Comment #6
slashrsm CreditAttribution: slashrsm commentedToken check is used to determine if user really loaded plupload on a page or it is just trying to push a file on server using that menu callback. This is similar approach which is used in drupal Form API. At least as far as I understand this.
Comment #7
bdk CreditAttribution: bdk commentedI guess my point is that if a server admin wants to give anonymous users access to a plupload form, then they can already push a file to the server. What extra security does the token add?
Comment #8
slashrsm CreditAttribution: slashrsm commentedThe point here is, that if you check security token even for anonymous users you know at least three things:
- plupload element was actually loaded on client side before upload,
- plupload element is part of some form,
- plupload is a part of some "bigger story", which will (hopefully) validate upload, check file extension, size, ...
That means that we rely on a module, that uses Plupload, to check that upload beeing secure.
If we skip that token, we basically open that menu path to everyone. That means that literally anyone can upload *anything* without even loading the form. Uploaded files will not be validated or checked at all. Not good IMO.
Comment #9
bdk CreditAttribution: bdk commentedSo the website that I'm using plupload with is rochester.indymedia.org. If you go to that site, anyone can publish an article without logging in. This means that if they want to upload anything, they just need to load rochester.indymedia.org/publish-article, to get the plupload form. For that site, having a token check doesn't seem to add any additional security, it just means someone needs to do an extra HTTP request. Maybe I'm focusing too much on my specific experience, but I think most sites would be set up a similar way if they allowed anonymous uploads.
I don't think this is the most important thing in the world though, and I don't mean to be going back and forth about this. Maybe there could be a variable that controls if you want to skip the token check, or create a session?
Comment #10
slashrsm CreditAttribution: slashrsm commentedYes, that is your specific use case. In that case you decided, that you want to open that form to anonymous users. If we commit your patch, we open upload URL worldwide for *all* sites that use Plupload. Even if they do not want to do that.
What is the problem with session? Is there any reason why session does not fit your use-case?
Comment #11
bdk CreditAttribution: bdk commentedSession would work okay for me. The main issue is the extra resources required to create/maintain a session. I also think that it's nice to let people use the site without cookies enabled. Neither of those are very important though.
If creating a session fixes this bug and is easier for you, then go for it.
Comment #12
slashrsm CreditAttribution: slashrsm commentedIt seems like #process is a better place for this to be done.
Comment #13
slashrsm CreditAttribution: slashrsm commentedCommited.