Prevent – file upload to webserver
-
When someone uploads files through the form, those files are stored on the web server. Is it possible to prevent the upload of attached files? I don’t want the files to be saved on the web server. It is sufficient if the files are sent by email and are then included in the email. I have concerns if a file is corrupt or infected and is then on the web server… .
-
Hello @crownst !
Hope you’re having a good day!
Generally the preferred method to prevent malicious files to be uploaded would be to select only specific file types to be allowed in the Upload field. This of course doesn’t prevent the possibility of someone uploading a malicious file, but will certainly limit it. You can se this in the Settings tab on the Upload field by selecting Specific filetypes.
However if you want to make sure that the uploaded file is removed after the email was sent, you can use this snippet as a mu-plugin: https://gist.github.com/wpmudev-sls/7a32dc5407324cc902f8b9ad8970ef62
To install it on your site as a mu-plugin, please do the following:
- use the Raw button to get the plain text version of the code
- create a new file in wp-content/mu-plugins/forminator-send-file-as-an-attachment-in-email.php and paste the code
- on line 27 make sure to add the IDs of the forms you want the snippet to work on, you can find the form’s ID in the URL on that form’s edit screen or in the shortcode you use to add the form – you can add as many as you want
- test
I just tested it on an example form on my testing site and I can confirm it worked as expected, the file was attached to the email and removed from the server.
Kind regards,
Pawe?
Thanks for the tip about the mu plugin. That basically worked. Multiple files are allowed when uploading files. If several falls are uploaded, an error message appears in the form frontend “An error occurred while processing the form. Please try again” and a 500 Internal Server Error in the DEV console. The error with the multiple file upload only occurs if the mu plugin is activated. Does anything need to be adjusted in the mu plugin so that it works with multiple file uploads? If only one file is uploaded, then it works with the mu plugin code. Unfortunately not with several files. Thanks for the efforts.
Hello @crownst,
Could you please test the following snippet in /wp-content/mu-plugins/, instead of the previous one:
<?php if ( ! class_exists( 'WPMUDEV_Frominator_Upload_Email_Attachment' ) ) { class WPMUDEV_Frominator_Upload_Email_Attachment { public $attachments = array(); public $attachments_to_delete = array(); private static $_instance = null; public static function get_instance() { if( is_null( self::$_instance ) ){ self::$_instance = new WPMUDEV_Frominator_Upload_Email_Attachment(); } return self::$_instance; } private function __construct() { add_filter( 'wp_mail', array( $this, 'filter_email_args' ) ); add_filter( 'forminator_field_upload_general_settings', array( $this, 'add_attachment_settings' ) ); add_action( 'forminator_custom_form_submit_before_set_fields', array( $this, 'manage_field_data' ), 20, 3 ); add_action( 'forminator_custom_form_mail_after_send_mail', array( $this, 'delete_uploaded_files' ) ); } public function add_attachment_settings( $settings ) { $attachment_option = array( 'type' => 'Toggle', 'label' => 'Attach to email', 'name' => 'use_as_attachment' ); $delete_upload_option = array( 'type' => 'Toggle', 'label' => 'Delete file after upload', 'name' => 'delete_uploaded_file' ); array_push( $settings, $attachment_option, $delete_upload_option ); return $settings; } public function manage_field_data( $entry, $form_id, $data ) { foreach ( $data as $key => $field_data ) { if ( ! isset( $field_data['name'] ) ) { continue; } $field = Forminator_API::get_form_field( $form_id, $field_data['name'] ); if ( is_wp_error( $field ) ) { continue; } $field_type = Forminator_Field::get_property( 'type', $field ); if ( 'upload' != $field_type ) { continue; } if( !is_array( $field_data[ 'value' ][ 'file' ][ 'file_path' ] ) ){ if ( $file_path = $field_data[ 'value' ][ 'file' ][ 'file_path' ] ) { if ( Forminator_Field::get_property( 'use_as_attachment', $field ) ) { unset( $this->attachments ); $this->attachments[] = $file_path; } if ( Forminator_Field::get_property( 'delete_uploaded_file', $field ) ) { $this->attachments_to_delete[] = $file_path; } } } else { unset( $this->attachments ); foreach( $field_data[ 'value' ][ 'file' ][ 'file_path' ] as $fi_k => $fi_val ){ if ( Forminator_Field::get_property( 'use_as_attachment', $field ) ) { $this->attachments[] = $fi_val; } if ( Forminator_Field::get_property( 'delete_uploaded_file', $field ) ) { $this->attachments_to_delete[] = $fi_val; } } } } } public function filter_email_args( $mail_args ) { if ( ! empty( $this->attachments ) ) { $mail_args[ 'attachments' ] = $this->attachments; } return $mail_args; } public function delete_uploaded_files() { if ( ! empty( $this->attachments_to_delete ) ) { foreach ( $this->attachments_to_delete as $file_path ) { unlink( $file_path ); } } } } if ( ! function_exists( 'wpmudev_forminator_upload_email_attachment' ) ) { function wpmudev_forminator_upload_email_attachment() { return WPMUDEV_Frominator_Upload_Email_Attachment::get_instance(); }; add_action( 'plugins_loaded', 'wpmudev_forminator_upload_email_attachment', 10 ); } }Please let us know if there’s still any issue.
Best Regards,
DmytroThanks for the new code. Unfortunately this doesn’t work for multiple file uploads. Is there a way to find out what the problem is from an error log? Or did it work in your tests?
Hi @crownst,
I tested the given code and it appears to work fine when tested on my side for multiple uploads, could we know what exact error you get after submission?
Possible to share a page URL where you have the form and also provide us with the form export so that we could have a better idea?
Please check the following doc on how to export a form:
https://wpmudev.com/docs/wpmu-dev-plugins/forminator/#import-export
If you are concerned about any sensitive information in the form, then you can duplicate your form, remove any sensitive information, and then export it.
You can share the export file via Google Drive, Dropbox or any cloud service in the next reply.
Looking forward to your response.
Best Regards,
Nithin
Hi,
So I don’t get an error message. I just see on the server that the attachments are still being saved on the server.
Export: https://file.io/7b0GcrlWjJ7C
Example: /wp-content/uploads/forminator/21718_25d7468ddd30f55e02f2f8d69ef3b5ba/uploads/EMt9PiJrCAur-sdfsda.pdf
I added this code under “/wp-content/mu-plugins/forminator-send-file-as-an-attachment-in-email.php“:<?php if ( ! class_exists( 'WPMUDEV_Frominator_Upload_Email_Attachment' ) ) { class WPMUDEV_Frominator_Upload_Email_Attachment { public $attachments = array(); public $attachments_to_delete = array(); private static $_instance = null; public static function get_instance() { if( is_null( self::$_instance ) ){ self::$_instance = new WPMUDEV_Frominator_Upload_Email_Attachment(); } return self::$_instance; } private function __construct() { add_filter( 'wp_mail', array( $this, 'filter_email_args' ) ); add_filter( 'forminator_field_upload_general_settings', array( $this, 'add_attachment_settings' ) ); add_action( 'forminator_custom_form_submit_before_set_fields', array( $this, 'manage_field_data' ), 20, 3 ); add_action( 'forminator_custom_form_mail_after_send_mail', array( $this, 'delete_uploaded_files' ) ); } public function add_attachment_settings( $settings ) { $attachment_option = array( 'type' => 'Toggle', 'label' => 'Attach to email', 'name' => 'use_as_attachment' ); $delete_upload_option = array( 'type' => 'Toggle', 'label' => 'Delete file after upload', 'name' => 'delete_uploaded_file' ); array_push( $settings, $attachment_option, $delete_upload_option ); return $settings; } public function manage_field_data( $entry, $form_id, $data ) { foreach ( $data as $key => $field_data ) { if ( ! isset( $field_data['name'] ) ) { continue; } $field = Forminator_API::get_form_field( $form_id, $field_data['name'] ); if ( is_wp_error( $field ) ) { continue; } $field_type = Forminator_Field::get_property( 'type', $field ); if ( 'upload' != $field_type ) { continue; } if( !is_array( $field_data[ 'value' ][ 'file' ][ 'file_path' ] ) ){ if ( $file_path = $field_data[ 'value' ][ 'file' ][ 'file_path' ] ) { if ( Forminator_Field::get_property( 'use_as_attachment', $field ) ) { unset( $this->attachments ); $this->attachments[] = $file_path; } if ( Forminator_Field::get_property( 'delete_uploaded_file', $field ) ) { $this->attachments_to_delete[] = $file_path; } } } else { unset( $this->attachments ); foreach( $field_data[ 'value' ][ 'file' ][ 'file_path' ] as $fi_k => $fi_val ){ if ( Forminator_Field::get_property( 'use_as_attachment', $field ) ) { $this->attachments[] = $fi_val; } if ( Forminator_Field::get_property( 'delete_uploaded_file', $field ) ) { $this->attachments_to_delete[] = $fi_val; } } } } } public function filter_email_args( $mail_args ) { if ( ! empty( $this->attachments ) ) { $mail_args[ 'attachments' ] = $this->attachments; } return $mail_args; } public function delete_uploaded_files() { if ( ! empty( $this->attachments_to_delete ) ) { foreach ( $this->attachments_to_delete as $file_path ) { unlink( $file_path ); } } } } if ( ! function_exists( 'wpmudev_forminator_upload_email_attachment' ) ) { function wpmudev_forminator_upload_email_attachment() { return WPMUDEV_Frominator_Upload_Email_Attachment::get_instance(); }; add_action( 'plugins_loaded', 'wpmudev_forminator_upload_email_attachment', 10 ); } }But here no ID of the form is included, like in the first code: https://gist.github.com/wpmudev-sls/7a32dc5407324cc902f8b9ad8970ef62
Hello @crownst,
Thank you for the explanation.
We have forwarded all the info to the Second Line Support (SLS) team, in order for them to test the code snippets, and troubleshoot any issues.
Please note, that the next reply may take longer, depending on the current amount of complex tasks for the SLS techs. Thank you for understanding.
Best Regards,
DmytroHello @crownst,
Please take our apologies for the delay. Our techs could not replicate the same issue so far.
However, it’s possible that the upload field options should be adjusted. Could you please make sure that these 2 options are enabled on the Advanced tab:
https://prnt.sc/3hpW57P1_OnCHope this helps. Please let us know if the issue persists.
Best Regards,
DmytroThat worked. I did not have activated the two options attach to email and delete file after upload activated under advanced. Sorry, I didn’t know that I had to activate this manually after the mu plugin code was uploaded. Thank you very much for the help!
Hi @crownst,
I hope you are doing well today!
We are glad to hear that the issue has been resolved and marking this thread accordingly. Please let us know in case you need further help.
Kind regards,
Zafer
- You must be logged in to reply to this topic.
