You should have uploaded files go to the private files directory instead to avoid this issue.
This issue originates from the already-closed issue #2820582: How to remove the file upload button? → .
When uploading a new file via the upload function on the website it displays the stored location of the file on the web server. By knowing the path and location of the file an attacker can “run” this file. This potentially may lead to an attacker uploading a shell script and running this script on the webserver which may lead to file system access on the web server.
If files are uploaded to the web server the location path on the web server should not be visible. Remove this information.
The patch as suggested at
#2820582-3: How to remove the file upload button? →
fulfills this remediation and therefore has been applied on my customers web application.
We believe this motivation justifies this patch to be committed to allow implementers prevention against feasible threats.
Closed: works as designed
4.0
Code
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
You should have uploaded files go to the private files directory instead to avoid this issue.