Developer forum

Forum » CMS - Standard features » Hide images from formuploads from anonymous users in frontend

Hide images from formuploads from anonymous users in frontend

E-mail notifications
Frederik Rossen
Frederik Rossen
Reply
Posted on 25/05/2021 11:22:40

We have a form which includes 3 file upload fields (usually used for images), and whenever someone submits the form, the images gets stored under System -> Formuploads -> "formname": 

The problem is these can be accessed via the browser, and since this will be used for RMA cases, it might be customer sensitive data stored here.

How can we secure the FormUploads folder from being accessed in the frontend? We already have the following permissions on the FormUploads + RMA folder: 

 


Replies

 
Nicolai Pedersen
Posted on 25/05/2021 11:35:19
Reply

Hi Frederik

You can add this to web.config to avoid anonymous download of files

<add name="logfiles" path="files/system/formuploads/**" verb="*" type="System.Web.HttpForbiddenHandler" />

You have to add it to this section which is already in web.config

  <location path="Files">
    <system.webServer>
      <staticContent>
        <remove fileExtension=".cshtml" />
        <mimeMap fileExtension=".cshtml" mimeType="text/plain" />
        <remove fileExtension=".vbhtml" />
        <mimeMap fileExtension=".vbhtml" mimeType="text/plain" />
        <remove fileExtension=".aspx" />
        <mimeMap fileExtension=".aspx" mimeType="text/plain" />
        <remove fileExtension=".log" />
        <mimeMap fileExtension=".log" mimeType="text/plain" />
      </staticContent>
      <handlers>
        <clear />
        <add name="globalsettings.xml.aspx_*" path="globalsettings.xml.aspx" verb="*" type="System.Web.HttpForbiddenHandler" preCondition="integratedMode,runtimeVersionv4.0" />
        <add name="Globalsettings.aspx_*" path="globalsettings.aspx" verb="*" type="System.Web.HttpNotFoundHandler" preCondition="integratedMode,runtimeVersionv4.0" />
        <add name="_sys_crm_report_xml.aspx_*" path="_sys_crm_report_xml.aspx" verb="*" type="System.Web.HttpForbiddenHandler" preCondition="integratedMode,runtimeVersionv4.0" />
        <add name="deployment" path="files/system/deployment/**" verb="*" type="System.Web.HttpForbiddenHandler" />
        <add name="dataportability" path="files/system/dataportability/**" verb="*" type="System.Web.HttpForbiddenHandler" />
        <add name="logfiles" path="files/system/log/**" verb="*" type="System.Web.HttpForbiddenHandler" />
        <add name="integration" path="files/files/Integration/**" verb="*" type="System.Web.HttpForbiddenHandler" />
        <add name="StaticFile" path="*" verb="*" modules="StaticFileModule" resourceType="File" requireAccess="Read" />
      </handlers>
    </system.webServer>
  </location>

BR Nicolai

 

You must be logged in to post in the forum