Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Dear fckeditor hackers,
may I ask you to have a look at the following issue:
The webform module allows adding upload fields to a form. If the user uploads a file, this file is accessible to any anonymous user, who is able to guess the URL (in private download mode). This is cause by fckeditor's implementation of the _file_download() hook, because there is no real secure checking in the code if the user should be allowed to view the file.
I'm not sure how that can be solved, but for me it looks like a security problem caused by fckeditor and not by webform.
Comments
Comment #1
wwalc CreditAttribution: wwalc commentedCheck the latest version of the fckeditor.module, let me know is it working for you and feel free to add your comments about it:
http://cvs.drupal.org/viewvc.py/drupal/contributions/modules/fckeditor/f...
(users with FCKeditor 6.x-1.3-rc6 may safely replace the old fckeditor.module file).
There is a new setting available in the FCKeditor Global Profile when private file system is in use.
However, even if you don't point FCKeditor to a subdirectory inside of a private directory, file downloads should be now handled correctly.
I assumed that all modules that upload files and implement some kind of protection on uploaded files, update the "files" database.
FCKeditor will now allow downloading file only if there is no information about it in the "files" table.
Comment #2
advseb CreditAttribution: advseb commentedI tested with 6.x-1.3-rc6 and replacing fckeditor.module with revision 1.20.2.84. Now, only the admininstrator can access the file uploaded through webform. So the check "if (db_fetch_object($result)) {" evaluates to true. I will check with webform developers, why the file is not returned to the uploader. Anyway, this should not be an issue of fckeditor module anymore. Thanks for fixing that!
Comment #3
wwalc CreditAttribution: wwalc commented