DotVVM: Unrestricted file upload
📋 Description
Impact
All users of DotVVM with configured file upload storage are affected.
DotVVM allows anyone to upload files to the application, potentially causing denial of service by filling the disk.
Patches
Since version 4.3.15, 4.2.11 and 5.0.0-preview09, DotVVM requires all file upload request to have a cryptographic token, which is automatically generated by the FileUpload component. This means that users without access to any page with the FileUpload component cannot upload any files.
The patch also add the DotvvmConfiguration.Security.AuthorizeFileUpload option which allow you to further restrict which users can upload files.
Workarounds
As a workaround, you can temporarily disable file upload by removing AddUploadedFileStorage or AddDefaultTempStorage from your DotVVM configuration.
Even with the patch, we recommend configuring file upload to use a dedicated partition with limited size.
References
- DotVVM file upload configuration: https://www.dotvvm.com/docs/4.0/pages/concepts/upload-and-download-files/upload-files
🎯 Affected products3
- nuget/DotVVM:< 4.2.11
- nuget/DotVVM:> 4.3.0-preview01-final, < 4.3.15
- nuget/DotVVM:>= 5.0.0-preview01-final, < 5.0.0-preview09-final