File upload fields added to contact forms should upload to private:// by default

Created on 24 January 2023, almost 2 years ago
Updated 23 August 2024, 4 months ago

Problem/Motivation

When a file field is added to contact forms (the contact_message) entity, the uploaded files are stored in the public scheme by default. This creates a possible security risk if the user which adds the field to a contact form isn't aware of the security implications this has.

Proposed resolution

Set the default scheme for new fields to private by default. If the user wants, switching to the public scheme is still possible, but should be done explicitly.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

โœจ Feature request
Status

Needs work

Version

11.0 ๐Ÿ”ฅ

Component
Contactย  โ†’

Last updated about 1 month ago

Created by

๐Ÿ‡ณ๐Ÿ‡ฑNetherlands Ruuds

Live updates comments and jobs are added and updated live.
  • Usability

    Makes Drupal easier to use. Preferred over UX, D7UX, etc.

  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupalโ€™s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the โ€œReport a security vulnerabilityโ€ link in the project pageโ€™s sidebar. See how to report a security issue for details.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Issue created by @Ruuds
  • Status changed to Needs review almost 2 years ago
  • Status changed to RTBC almost 2 years ago
  • ๐Ÿ‡ฎ๐Ÿ‡ณIndia nidhi27

    I have tested this patch on 10.1.x-dev version.

    At the time of creating file field default value is selected as private for file uploading folder.

    I have attached the screenshot as well.

  • Status changed to Needs work almost 2 years ago
  • ๐Ÿ‡ซ๐Ÿ‡ฎFinland lauriii Finland

    Seems sensible to me that contact form files would be considered as private by default.

    +++ b/core/modules/contact/contact.module
    @@ -248,3 +249,20 @@ function contact_form_user_admin_settings_submit($form, FormStateInterface $form
    +  if ($field->getTargetEntityTypeId() === 'contact_message' && $field->getType() === 'file') {
    

    Should we also check if the stream wrapper for private files exists? It seems like now we could be configuring an option by default which is not available for all sites.

    We should also add tests for this, just to confirm it works (and continues to do so).

  • Should we also check if the stream wrapper for private files exists?

    Correct. You cannot assume that wrapper exists. Webform module has the same idea and probably the code to borrow.

  • Status changed to Needs review almost 2 years ago
  • ๐Ÿ‡ฎ๐Ÿ‡ณIndia mehul.gada Mumbai

    Here is the patch to check if the private files exists or not and accordingly set the default value.

  • Status changed to Needs work over 1 year ago
  • ๐Ÿ‡ฆ๐Ÿ‡บAustralia larowlan ๐Ÿ‡ฆ๐Ÿ‡บ๐Ÿ.au GMT+10

    I think this is a good addition, however how about instead of forcing it, we target the field storage form with a form alter hook.

    Otherwise with this approach, the user could submit the form with 'public' and then go back to edit and see private and be confused.

    If we use a form alter, we can show a message as to why public isn't available as an option or similar.

    Also, we need some tests here.

    Great idea, love security by default!

  • Pipeline finished with Failed
    7 months ago
    Total: 241s
    #187294
  • Pipeline finished with Failed
    7 months ago
    Total: 378s
    #187301
  • Pipeline finished with Canceled
    7 months ago
    Total: 452s
    #187307
  • Pipeline finished with Failed
    7 months ago
    Total: 512s
    #187323
  • Pipeline finished with Canceled
    7 months ago
    Total: 657s
    #187351
  • Pipeline finished with Failed
    7 months ago
    Total: 520s
    #187362
  • Pipeline finished with Canceled
    7 months ago
    Total: 502s
    #196511
  • Pipeline finished with Canceled
    7 months ago
    Total: 126s
    #196520
  • Pipeline finished with Success
    7 months ago
    Total: 609s
    #196531
  • Pipeline finished with Canceled
    7 months ago
    Total: 14s
    #197902
  • Pipeline finished with Success
    7 months ago
    Total: 568s
    #197905
  • Status changed to Needs review 7 months ago
  • ๐Ÿ‡ณ๐Ÿ‡ฑNetherlands Ruuds

    I've implemented the suggestion of @larowlan and also added a test for it. If the private stream wrapper is not available a warning is shown it is advised to store file uploads for contact forms as private files.

  • First commit to issue fork.
  • Pipeline finished with Canceled
    6 months ago
    Total: 417s
    #203249
  • Status changed to RTBC 6 months ago
  • ๐Ÿ‡บ๐Ÿ‡ธUnited States smustgrave

    Hiding patches for clarity

    Removing tests tag as coverage was added

    1) Drupal\Tests\contact\FunctionalJavascript\ContactFileFieldTest::testFileFieldHasPrivateSchemeByDefault
    Failed asserting that false is true.
    /builds/issue/drupal-3336081/core/modules/contact/tests/src/FunctionalJavascript/ContactFileFieldTest.php:72
    2) Drupal\Tests\contact\FunctionalJavascript\ContactFileFieldTest::testFileFieldHasPublicSchemeByDefaultWhenPrivateSchemeNotConfigured
    Behat\Mink\Exception\ResponseTextException: The text "It is advised to store file uploads for contact forms as private files. You can configure this in settings.php" was not found anywhere in the text of the current page.
    /builds/issue/drupal-3336081/vendor/behat/mink/src/WebAssert.php:907
    /builds/issue/drupal-3336081/vendor/behat/mink/src/WebAssert.php:293
    /builds/issue/drupal-3336081/core/tests/Drupal/Tests/WebAssert.php:975
    /builds/issue/drupal-3336081/core/modules/contact/tests/src/FunctionalJavascript/ContactFileFieldTest.php:115
    FAILURES!
    Tests: 2, Assertions: 20, Failures: 2.
    

    Applied some formatting changes to the hook and tests but appears @larowlan feedback from #7 has been addressed.

  • Pipeline finished with Success
    6 months ago
    Total: 500s
    #203252
  • Status changed to Needs work 6 months ago
  • ๐Ÿ‡ฌ๐Ÿ‡งUnited Kingdom alexpott ๐Ÿ‡ช๐Ÿ‡บ๐ŸŒ

    Added some review comments. I agree with @larowlan that this is a nice addition.

  • Pipeline finished with Failed
    6 months ago
    Total: 8574s
    #215977
  • Pipeline finished with Failed
    6 months ago
    Total: 601s
    #216079
  • Pipeline finished with Success
    6 months ago
    Total: 538s
    #216089
  • Pipeline finished with Failed
    6 months ago
    Total: 595s
    #216395
  • Pipeline finished with Failed
    6 months ago
    Total: 515s
    #216405
  • Pipeline finished with Failed
    6 months ago
    Total: 1251s
    #216427
  • Pipeline finished with Failed
    6 months ago
    Total: 153s
    #216506
  • Pipeline finished with Success
    6 months ago
    Total: 490s
    #216507
  • Status changed to Needs review 6 months ago
  • ๐Ÿ‡ณ๐Ÿ‡ฑNetherlands Ruuds
  • Status changed to RTBC 6 months ago
  • ๐Ÿ‡บ๐Ÿ‡ธUnited States smustgrave

    Believe feedback from @alexpott has been addressed from what I can see.

  • ๐Ÿ‡ณ๐Ÿ‡ฟNew Zealand quietone

    I read the IS summary, the comments and the MR. The proposed resolution is out of dateAll questions are answered and the threads in the MR are correctly resolved.

    I then applied the diff and tested. This works as expected and is an improvement!

    I do think there follow up work.

    • Add this feature to media files as well.
    • The warning message uses the string 'It is advised' which is the first occurrence in core for a warning message. Because of that I think that the usability folks should review the string.
    • The first time I read "It is advised to store file uploads for contact forms as private files. You can configure this in settings.php" I read the first as something to action so I tried to. Of course, the option is not available and I knew that but I still tried! So, again, I think the a usability review would help.

    I think the above items can be done in followups. I am adding the tag for that.

    I finally read the test. Is there a reason it is only testing 1 code path?

  • Status changed to Needs work 4 months ago
  • ๐Ÿ‡ฌ๐Ÿ‡งUnited Kingdom longwave UK

    I think the error message needs work. Is there a handbook page that we can link to on d.o that explains how and why you should configure private files? If so I think we should link there in either case, we don't need to separate out the two cases.

Production build 0.71.5 2024