This was originally reported as a private security issue, but has been approved for handling in the public queue by the Drupal Security Team.
We noticed that some private files could be downloaded by anonymous users even after the files have been removed from content.
It is probably caused by this core issue: #3059494: File usage is not tracked by revision, leading to private files embedded in text fields in old revisions being accessible when they shouldn't be
But I am reporting it here in case we also need to do something in editor_file to fix it (and to make users of the module aware of this limitation).
1. Enable the module
2. Create a bundle with a CKE field.
3. Create a node in this bundle and use editor_file to upload a file in the CKE field. Publish the node.
4. As an anonymous user, try to download the file: you can.
5. Edit the node and remove the file from the CKE field.
As an anonymous user that can not see older revisions, try to download the file: you still can.
6. Delete the node.
As an anonymous user, try to download the file: you now can't.
Wait for the core issue to be fixed, then check if it also fixed for editor_file.
Comments