Found that Webforms will upload files to the server even form validation failure. This is a potential security issue on Webforms with CAPTCHA, especially public Webforms, since malicious scripts can continuously upload files and go over any set limits/quotas. I wrote up a solution, mostly in a separate custom module:

/**
 * Implementation of hook_form_validate
 * Cleans up uploaded files on form validation fail
 * Registered in webform.module's webform_client_form() function
 */
function wfedit_webform_form_file_cleanup($form, &$form_state) {
	if(count(form_get_errors()) > 0) { //form failed validation
		if(isset($form_state['values']['submitted'])) {
			//get all submitted file ids
			$file_ids = array();
			foreach($form_state['values']['submitted'] as $submitted) {
				if(is_array($submitted) && isset($submitted['_fid']) &&
						!empty($submitted['_fid'])) {
					$file_ids[] = $submitted['_fid'];
				}
			}
			
			//delete all submitted files
			foreach($file_ids as $fid) {
				$file = webform_get_file($fid);
				file_delete($file->filepath);
				db_query("DELETE FROM {files} WHERE fid = %d", $fid);
			}
		}
	}
}

In the webform.module file, I added the following to the webform_client_form() function:

$form['#validate'] = array('webform_client_form_validate',
  		//@hack
  		//allows us to manipulate form after webform module validation
  		'wfedit_webform_form_file_cleanup');

This last addition is a hack, of course, since it's added right into the Webform module. Hopefully, if this issue is deemed worthy, it will be pushed down into a patch and update.

The solution was tested on specific forms, and may need more general testing.

Comments

quicksketch’s picture

Status: Active » Closed (works as designed)

Found that Webforms will upload files to the server even form validation failure.

You'll find that *all* Drupal forms upload files upon clicking submit, whether there is a validation error or not. This is merely a behavior of how HTML works, though it's true that not all modules upload files to their final location; often they store them in a temporary directory that is not web-accessible.

This is a potential security issue on Webforms with CAPTCHA, especially public Webforms, since malicious scripts can continuously upload files and go over any set limits/quotas.

Even if the file is uploaded, it still must pass Webform's built-in file validation checks (extension, file-size, etc.) in order to be uploaded, meaning there's nothing wrong with the file itself. Regarding quotas... the files are marked with a status of 0 in the 'files' database table, meaning that they'll be cleaned up automatically on cron jobs after 6 hours unless they are marked permanent. I'd suggest a reasonable cap such as 10 submissions per hour that would prevent the server from being filled up by a script.