Closed (works as designed)
Project:
Webform
Version:
6.x-3.14
Component:
Code
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
15 Nov 2011 at 19:13 UTC
Updated:
4 Mar 2012 at 07:50 UTC
Found that Webforms will upload files to the server even form validation failure. This is a potential security issue on Webforms with CAPTCHA, especially public Webforms, since malicious scripts can continuously upload files and go over any set limits/quotas. I wrote up a solution, mostly in a separate custom module:
/**
* Implementation of hook_form_validate
* Cleans up uploaded files on form validation fail
* Registered in webform.module's webform_client_form() function
*/
function wfedit_webform_form_file_cleanup($form, &$form_state) {
if(count(form_get_errors()) > 0) { //form failed validation
if(isset($form_state['values']['submitted'])) {
//get all submitted file ids
$file_ids = array();
foreach($form_state['values']['submitted'] as $submitted) {
if(is_array($submitted) && isset($submitted['_fid']) &&
!empty($submitted['_fid'])) {
$file_ids[] = $submitted['_fid'];
}
}
//delete all submitted files
foreach($file_ids as $fid) {
$file = webform_get_file($fid);
file_delete($file->filepath);
db_query("DELETE FROM {files} WHERE fid = %d", $fid);
}
}
}
}
In the webform.module file, I added the following to the webform_client_form() function:
$form['#validate'] = array('webform_client_form_validate',
//@hack
//allows us to manipulate form after webform module validation
'wfedit_webform_form_file_cleanup');
This last addition is a hack, of course, since it's added right into the Webform module. Hopefully, if this issue is deemed worthy, it will be pushed down into a patch and update.
The solution was tested on specific forms, and may need more general testing.
Comments
Comment #1
quicksketchYou'll find that *all* Drupal forms upload files upon clicking submit, whether there is a validation error or not. This is merely a behavior of how HTML works, though it's true that not all modules upload files to their final location; often they store them in a temporary directory that is not web-accessible.
Even if the file is uploaded, it still must pass Webform's built-in file validation checks (extension, file-size, etc.) in order to be uploaded, meaning there's nothing wrong with the file itself. Regarding quotas... the files are marked with a status of 0 in the 'files' database table, meaning that they'll be cleaned up automatically on cron jobs after 6 hours unless they are marked permanent. I'd suggest a reasonable cap such as 10 submissions per hour that would prevent the server from being filled up by a script.