Merge pull request #933 from creative-commoners/securing-the-docs

DOCS additional note to keeping uploaded files secure
This commit is contained in:
Ingo Schommer 2020-02-03 11:37:09 +13:00 committed by GitHub
commit f1ee7c8eab
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 5 deletions

View File

@ -52,11 +52,13 @@ The folder that this field uploads to can be customised by selecting "Show Optio
and then selecting a new folder from the "Select upload folder" option. If no folder
is selected it will upload by default to the "Uploads" folder.
Only certain file extensions are considered safe for upload,
e.g. webserver script files will be denied but images will be allowed.
The webserver environment also imposes a limit on file size by default.
If the default "Uploads" folder is used, or if you choose a folder that does not have additional CMS access permissions set, you may be exposing files uploaded via your form to the public, as well as anyone with access to the CMS.
You can set any permission requirements on the upload folder by finding it in the "Files" area, clicking on it to edit and going to the "Permissions" tab.
Only certain file extensions are considered safe for upload,
e.g. webserver script files will be denied but images will be allowed. The webserver environment also imposes a limit on file size by default.
You can set any permissions requirements on the upload folder by finding it in the "Files" area, clicking on it to edit and going to the "Permissions" tab.
## Heading

View File

@ -21,6 +21,7 @@ This is your responsibility, but here are a few tips to get you started:
* Ensure you have the necessary consents for processing and storing data according to your legislation (e.g. GDPR)
* Only accept form submissions via encrypted transfers (HTTPS) - check our [Secure Coding](https://docs.silverstripe.org/en/4/developer_guides/security/secure_coding/) guidelines
* Control access to form submissions (via CMS page access controls)
* Control access to files uploaded with submissions (via [folder access controls](field-types.md#file-upload-field))
* Create a process to limit the types of data you are allowed to collect via this feature (e.g. no payment information or health data)
* Create a process for limiting submission storage duration (manual deletion)
* Consider further safeguards such as at-rest encryption (check [encryption related addons](https://addons.silverstripe.org/add-ons?search=encrypt))
@ -30,4 +31,4 @@ This is your responsibility, but here are a few tips to get you started:
* [Create and edit forms](creating-and-editing-forms.md)
* [Add different field types to a form](field-types.md)
* [Set up multipage forms](multipage-forms.md)
* [View submissions and set up automated emails upon form completion](form-submissions.md)
* [View submissions and set up automated emails upon form completion](form-submissions.md)