- Status changed to Closed: duplicate
over 1 year ago 6:01pm 24 July 2023
When webform submissions can be saved as drafts, files uploaded via a file element do not seem to ever get deleted -- even if the user explicitly uses the "Remove" button to remove them from the submission.
This could have security repercussions. Imagine a user uploads a sensitive file by mistake, realizes their error and uses "Remove" button to remove the file. They then submit the webform with a different file. Unbeknownst to the user, the original sensitive file is still saved in the Drupal file system.
1. Spin up a Drupal instance with Webform installed on simplytest.me
2. Create a webform
3. Add a file element to the webform
4. Go to /admin/structure/webform/manage/YOUR_WEBFORM_ID/settings/submissions and set "Allow your users to save and finish the webform later" to "Authenticated and anonymous users"
5. View the webform. Attach a file to the file element. Click "Save Draft"
6. Go to /admin/content/files and notice the attachment is there with "Permanent" state
7. Go back to your webform in draft state. Click the "Remove" button for the file you had uploaded. Click "Save Draft"
8. Go back to /admin/content/files and notice the attachment is still there with "Permanent" state
9. Go back to your webform and upload a different file to your file element. Click "Save Draft"
10. Go back to /admin/content/files and notice both attachments are there with "Permanent" state
11. Go back one more time to webform and "Submit"
12. Go back to /admin/content/files and notice both attachments are there still with "Permanent" state and can be downloaded
13. Run cron. Files still there.
14. Clear all caches. Files still there.
Files should be deleted from the server immediately if the user uses the "Remove" button while creating their submission.
Closed: duplicate
6.2
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.