Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
See:
https://www.drupal.org/psa-2016-003
#2816405: Warn admin users on site status report page if insecure webforms are found
#2816121: [meta] Is there anything webform can do to mitigate PSA-2016-003?
#2816303: File upload destination should be private files by default if available
Possible solutions
- Add warning that is displayed when public file uploads are enabled.
- Managed file upload directory should default to 'private'.
- There should be a global setting that defaults to require all file uploads to be private.
- If the private files directory is not setup block the managed_file element from being used.
- Managed file element support may need to be optional
Comment | File | Size | Author |
---|---|---|---|
#9 | manage file element warning.png | 149.59 KB | jrockowitz |
#9 | status report public file warning.png | 90.42 KB | jrockowitz |
#9 | enable elements and public files.png | 123.37 KB | jrockowitz |
#8 | drupal_file_upload_by-2817535-8.patch | 38.79 KB | jrockowitz |
#5 | drupal_file_upload_by-2817535-5.patch | 35.62 KB | jrockowitz |
Comments
Comment #2
jrockowitz CreditAttribution: jrockowitz commentedComment #3
jrockowitz CreditAttribution: jrockowitz commentedComment #5
jrockowitz CreditAttribution: jrockowitz commentedComment #8
jrockowitz CreditAttribution: jrockowitz commentedComment #9
jrockowitz CreditAttribution: jrockowitz commentedDisable public file upload by default. (Existing installations will still have public files enabled)
Allow elements (including 'Managed File') to be disabled.
Add warning to element dialog when public file uploads are enabled and selected.
Add warning about enabling the private file uploads to Status page.
Comment #12
jrockowitz CreditAttribution: jrockowitz commentedComment #13
cilefen CreditAttribution: cilefen as a volunteer commented