PLEASE NOTE: These forums are no longer utilized and are provided as an archive for informational purposes only. All support issues will be handled via email using our support ticket system. For more detailed information on this change, please see this blog post.

File Upload Field Security Issue

  1. We have form that uses the file upload field to upload doc/docx/pdf files. When someone uploads a new file, we can not access the uploaded file from the entries screen in Gravity Forms. We get a 500 - Internal Server error. Upon checking the file system permissions for the uploaded files, the files are not inheriting all the folder permissions specified. When using process monitor, I see the IIS APPOOL\WordPress user is trying to access the uploaded file, with an access denied. The IIS_IUSRS group has read/execute/list folder contents/read permission on the uploads folder - but the file did not inherit this permission. This seems to have started when we applied the gravity forms 1.6.3.3.2 update as uploads prior to this update do not have the incorrect permissions. I have also applied the most recent update version 1.6.4.1.1 and it has the same issue. How can I correct this?

    Posted 7 years ago on Thursday May 3, 2012 | Permalink
  2. David Peralty
    Administrator

    While I'm no server expert, I can say that Gravity Forms does not force or create any permissions relating to files. I am assuming you set both file and folder permissions and I'm assuming you have the WordPress user in the IUSRS group?

    Posted 7 years ago on Thursday May 3, 2012 | Permalink
  3. OK - found the issue. I updated PHP version when I updated the Gravity forms last month. The upload_tmp_dir had reverted back to the wrong path. Uploads are sent to temp and then moved to the correct folder. The move operation moves the permissions from the temp folder, instead of inheriting the parent folder permissions. Here is a wordpress post talking about this:

    http://wordpress.org/support/topic/iis-image-upload-view-issues

    Thanks for now.

    Posted 7 years ago on Thursday May 3, 2012 | Permalink
  4. David Peralty
    Administrator

    Glad you got it figured out.

    Posted 7 years ago on Thursday May 3, 2012 | Permalink

This topic has been resolved and has been closed to new replies.