PLEASE NOTE: These forums are no longer utilized and are provided as an archive for informational purposes only. All support issues will be handled via email using our support ticket system. For more detailed information on this change, please see this blog post.

file upload security

  1. Just got going with your products and so far I am very happy with your creation.

    One thing I noticed was with the file upload feature that the files are created in an insecure folder based on the form then date. When it is created it is based on the month without an index.html file in it.

    /wp-content/uploads/gravity_forms/1/2011/02

    This may seem nit-picky but for my application of the form I don't want people being able to poke around my folder so I will have to drop my own index.html files all over the place. Can you address my concern.... thank-you

    Posted 11 years ago on Saturday February 26, 2011 | Permalink
  2. You can use a filter to specify your upload location. Here's a previous thread with details.

    http://www.gravityhelp.com/forums/topic/specify-upload-location#post-12459

    Posted 11 years ago on Sunday February 27, 2011 | Permalink
  3. You can also configure your server so that directory indexes are turned off, and files in the directory are not listed. To get to the file, the visitor would have to guess the name. They can probably guess all the locations.

    On an Apache server, you can add this to a .htaccess file and put it /wp-content/uploads/ or /wp-content/ or even / if you want to turn off directory indexes across the whole site. This will work if the server allows this type of override in at .htaccess file. In any case, this is what to put in the .htaccess file (note the leading dot):

    Options -Indexes

    At least that way the directory of files is not listed. There's normally no reason to have directory indexes turn on in a WordPress installation. And you can always override this rule to make the server show indexes for specific directories.

    This works if you are using Apache on Linux and the server is configured to allow this sort of override in the .htaccess file. If you get a "500 Internal Server Error" (white screen) after adding this rule to you .htaccess file, the server probably does not allow it and this will not work for you.

    Posted 11 years ago on Sunday February 27, 2011 | Permalink
  4. Thanks!

    Posted 11 years ago on Thursday March 3, 2011 | Permalink

This topic has been resolved and has been closed to new replies.