This module has a custom version of file_save_upload() which needs to be updated to match the Drupal 7.56 security release. If not, a possible side effect is that if an anonymous user uploads a private file to a widget that uses this module, they won't be able to see a preview of the file before it is submitted (see https://www.drupal.org/project/drupal/releases/7.56). I am not sure if that actually happens because when I tested it previously I wasn't able to get anonymous remote uploads to work with this module at all (maybe I was doing something wrong), but either way it should be fixed.

The ideal fix would be to change this module's custom file-saving function so it's a wrapper around file_save_upload() rather than a replacement for it, but I'm not sure offhand if that is possible. In the meantime, it's possible to just borrow the new code from core instead.

CommentFileSizeAuthor
#2 filefield-sources-2888308-2.patch925 bytesDavid_Rothstein
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

David_Rothstein created an issue. See original summary.

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein as a volunteer commented
Status: Active » Needs review
FileSize
filefield-sources-2888308-2.patch925 bytes

Here's a patch (untested) which just borrows the new code from core.

JJmonterey’s picture

JJmonterey CreditAttribution: JJmonterey commented

David,
So this does not affect authorized users? Also, I'm not sure I can visualize a scenario where anonymous users would be granted permission to upload to a private file folder or view private files.

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein as a volunteer commented

Yes, this affects anonymous users only.

There are a lot of situations where an anonymous user would be able to upload a private file. (Typically they would not be able to view it after it is saved, but would still need to be able to view or preview it during upload.) An example would be uploading a résumé as part of a job application. (When fixing the underlying security issue, the security team got a surprising number of reports from sites who were affected by the general security issue, and all of them were allowing anonymous users to upload private files.)

quicksketch’s picture

quicksketch
he/him
CreditAttribution: quicksketch at Lullabot commented
Status: Needs review » Fixed

Thanks, committed to 7.x-1.x!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.