From abae27f41fccd98b7eb4583a4b44c174fb5e6c9e Mon Sep 17 00:00:00 2001 From: Ingo Schommer Date: Fri, 28 Aug 2015 10:11:43 +1200 Subject: [PATCH] Clarified upload usage and security considerations --- docs/en/installation.md | 23 +++++++++++++++++++++++ docs/en/user-documentation.md | 4 ++++ 2 files changed, 27 insertions(+) diff --git a/docs/en/installation.md b/docs/en/installation.md index d810c40..7401eae 100644 --- a/docs/en/installation.md +++ b/docs/en/installation.md @@ -19,6 +19,29 @@ After installation, make sure you rebuild your database through `dev/build`. You should see a new PageType in the CMS 'User Defined Form'. This has a new 'Form' tab which has your form builder. +## File Uploads and Security + +The module allows adding a "File Upload Field" to a form, +which enables users of this form to upload files to the website's assets +so they can be viewed later by CMS authors. Small files +are also attached to the (optional) email notifications +to any configured recipients. + +Allowed file extensions can be configured globally through `File.allowed_extensions`, +and default to a safe set of files (e.g. disallowing `*.php` uploads). +The allowed upload size is determined by PHP configuration +for this website (the smaller value of `upload_max_filesize` or `post_max_size`). + +Since uploaded files are kept in `assets/` folder of the webroot, there is no built-in +permission control around who can view them. It is unlikely +that website users guess the URLs to uploaded files unless +they are specifically exposed through custom code. + +Nevertheless, you should think carefully about the use case for file uploads. +Unauthorised viewing of files might be desired, e.g. submissions for public competitions. +In other cases, submissions could be expected to contain private data. +Please consider securing these files, e.g. through the [secureassets](http://addons.silverstripe.org/add-ons/silverstripe/secureassets) module. + ### Custom email templates If you want to use custom email templates set the following config option. diff --git a/docs/en/user-documentation.md b/docs/en/user-documentation.md index c734a99..0ae581e 100644 --- a/docs/en/user-documentation.md +++ b/docs/en/user-documentation.md @@ -111,6 +111,10 @@ The folder that this field uploads to can be customised by selecting "Show Optio and then selecting a new folder from the "Select upload folder" option. If no folder is selected it will upload by default to the "Uploads" folder. +Only certain file extensions are considered safe for upload, +e.g. webserver script files will be denied but images will be allowed. +The webserver environment also imposes a limit on file size by default. + #### Heading Selecting a Heading allows adds a place where you can put a heading for a form, or for