This module has a custom version of file_save_upload() which needs to be updated to match the Drupal 7.56 security release. If not, a possible side effect is that if an anonymous user uploads a private file to a widget that uses this module, they won't be able to see a preview of the file before it is submitted (see https://www.drupal.org/project/drupal/releases/7.56). I am not sure if that actually happens because when I tested it previously I wasn't able to get anonymous remote uploads to work with this module at all (maybe I was doing something wrong), but either way it should be fixed.
The ideal fix would be to change this module's custom file-saving function so it's a wrapper around file_save_upload() rather than a replacement for it, but I'm not sure offhand if that is possible. In the meantime, it's possible to just borrow the new code from core instead.
Comment | File | Size | Author |
---|---|---|---|
#2 | filefield-sources-2888308-2.patch | 925 bytes | David_Rothstein |
Comments
Comment #2
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedHere's a patch (untested) which just borrows the new code from core.
Comment #3
JJmonterey CreditAttribution: JJmonterey commentedDavid,
So this does not affect authorized users? Also, I'm not sure I can visualize a scenario where anonymous users would be granted permission to upload to a private file folder or view private files.
Comment #4
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedYes, this affects anonymous users only.
There are a lot of situations where an anonymous user would be able to upload a private file. (Typically they would not be able to view it after it is saved, but would still need to be able to view or preview it during upload.) An example would be uploading a résumé as part of a job application. (When fixing the underlying security issue, the security team got a surprising number of reports from sites who were affected by the general security issue, and all of them were allowing anonymous users to upload private files.)
Comment #6
quicksketchThanks, committed to 7.x-1.x!