Drupal 7 Upload Destination Change to Private
Related to DRUPAL-PSA-2016-003.
Currently Webform file component uses public files equally default upload destination. This is probably considering private files path is not e'er available if not configured in Drupal settings correctly. File upload destination should be made automatically "private files" by default if avaialble.
Support from Acquia helps fund testing for Drupal 
Source: https://www.drupal.org/project/webform/issues/2816303
Comments
Here's a patch to implement this change.
The patch will change file upload destination setting description every bit follows:
Annotate #7
cilefen Credit Attribution: cilefen as a volunteer commented
Annotate #8
cilefen Credit Attribution: cilefen as a volunteer commented
You could replace this with a ternary. But it'southward not a large deal.
The comment needs wrapping to 80 columns and "Encounter" should be @see, with the bodily URL to the PSA.
A suggestion: add something like the hook_requirements() from #2816121-four: [meta] Is there annihilation webform can do to mitigate PSA-2016-003?
1) What tin we exercise to get Drupal core to exercise a better job of handling temporary files from the public files delivery method so modules like webform won't have to jump through hoops to fix information technology on a one-on-1 basis, leaving new or older modules wide open considering they aren't familiar with the risk?
https://www.drupal.org/node/2817427
2) The "Attach file" check box that is bachelor when mime mail is present, needs to have a description that states the mime mail "arbitrary file" permission must be ready for bearding/authenticated in order for the attachments to work equally expected and show up in email. A better solution, might exist to take webform automatically override this specifically for webform and so the entire site isn't left wide open to this security issue.
I'm also trying to test all-time practice on this (and default to a individual off-root ../private directory simply going this route seems to prevent admission to the uploaded file. IE My files have uploaded without bug and are sitting pretty in ../private but the webform results page no longer lists/shows the uploaded file. Before you release this as a default setting don't nosotros need to make sure this won't cause bug? In my example I've been searching and testing for over two hrs to go this working. Use case is simple. Client wants to accept users upload files with their contact forms, we need the directory to be properly secure/private and the client needs to meet what'southward been uploaded (of course) - and nosotros tin't get this simple requirement working.
Q.
Comment #12
cilefen Credit Attribution: cilefen every bit a volunteer commented
@quantos: I can say for a fact that private files work with webform. What you are describing doesn't sound fun, but it is a separate outcome. Y'all may want to open a new event, describing the configuration of the individual files directory and of the particular webform field.
@cilefen - thanks and sorry, you're quite right. Got this working at present (merely still don't know why information technology wasn't - which is/was my wider business organisation). Good luck with the updates guys.
Q.
@#10 - "The "Attach file" cheque box that is available when mime mail is present, needs to have a clarification that states the mime mail service "arbitrary file" permission must be set for bearding/authenticated in order for the attachments to work as expected and show upwardly in e-mail. "
That is the noesis that I have spent the last week trying to rails down. Cheers! Definitely needs to go in the help text! :)
Why array_key_exists() instead of isset()?
This is the message that was used in YAML Form:
t('Public files upload destination is dangerous for forms that are available to bearding and/or untrusted users. For more information run into:') . ' <a href="https://world wide web.drupal.org/psa-2016-003">DRUPAL-PSA-2016-003</a>'Annotate #16
cilefen Credit Attribution: cilefen every bit a volunteer commented
I think whether this is to exist fixed at this stage depends on support for the iv.x co-operative, because YAML Forn *is* webform in 5.x.
Webform 7.x-four.x is nonetheless supported.
We go on getting bitten by this when non-technical users create new webforms with file upload fields and skip through the defaults.
Hither is an updated patch (I've given credit to OP) with the following changes:
isset()instead ofarray_key_exists()t()co-ordinate to the docsHope it moves this result forward. Cheers!
Comment #xx
Mile23
Credit Attribution: Mile23 equally a volunteer commented
Got hit by this today.
Patch no longer applies: