Security Question about Submission form

  • Post date

Home Forums Welcome! Pre-Sales Questions Security Question about Submission form

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • August 17, 2016 at 11:34 am #1152733
    Chele
    Guest

    Hello,

    We are interested in purchasing your Community Events Calendar to go along with the Events Calendar we already have by you. Our main goal is to be able to have people submit events and then have our admin approve them before posting. Our web people wanted to me to ask a few questions regarding security. I looked through the forums but am a novice and so far haven’t found the answers to their questions, which follow. Can someone please advise on the following…

    If a person uploads an image file (such as a flyer) to the submission form does it go directly into the media file folder or anything publicly accessible? Our web people are concerned about the possibility of people uploading malicious things.

    What parameters of security do you have?

    Thank you.

    August 17, 2016 at 11:05 pm #1152976
    Brook
    Participant

    Howdy Chele,

    Great questions, I’d love to help clarify what happens.

    The media uploader checks the “mime type” of files when uploaded, and thus restricts people to only uploading images. They would not be able to upload executable files, php files, etc. So this does a good job of preventing malicious files.

    On very rare occasion there have been security flaws in image formats like JPG. Basically viewing a malicious image would cause something bad to happen. If somebody finds one of those again in the future, then they would be able to upload an actual image to your website that behave in a malicious manner. The only way to catch this sort of thing would be a virus scanner on your server. A lot of web servers already have one built in, and will sent the server admin an alert if something like this is detected.

    If a person uploads an image file (such as a flyer) to the submission form does it go directly into the media file folder or anything publicly accessible?

    It goes into the /wp-content/uploads/ folder, just like everything else. These folders are technically publicly accessible. However, unless you guys are linking to all the files in these folders no one will ever happen upon them until you publish the event which links to them. So while technically accesible, in practice no one will ever access them until the event is approved.

    Does that all make sense? Will that work for you? Please let me know.

    Cheers!

    – Brook

    September 8, 2016 at 9:35 am #1161584
    Support Droid
    Keymaster

    Hey there! This thread has been pretty quiet for the last three weeks, so we’re going to go ahead and close it to avoid confusion with other topics. If you’re still looking for help with this, please do open a new thread, reference this one and we’d be more than happy to continue the conversation over there.

    Thanks so much!
    The Events Calendar Support Team

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
  • The topic ‘Security Question about Submission form’ is closed to new replies.