+1 Need an answer for this aswell. The guid helps secure the file a bit but iam looking for something more bulletproof.

Has anyone found a solution to this? Seems like quite a bit of an oversight.

We have a feature which restrict access upload files from visitiors, it is exactly the one you needed. The feature is not release yet. It would be Forms 4.6.2, I think.

Hi!

Is this problem fixed yet? The next version seems to be 4.70 (not 4.6.2). 

If you read the release Notes for 4.70 it says nothing about this problem.

https://world.episerver.com/documentation/Release-Notes/?versionFilter=4.7.0&packageFilter=EPiServer.Forms&typeFilter=All  

We couldn't wait any longer for Episerver to release a fix so we used this approach which works pretty well for now...

https://talk.alfnilsson.se/2016/05/06/episerver-forms-how-to-change-where-uploaded-files-are-stored/

Hope this helps.

It is released in Forms 4.7, it is security issue so you cannot see it on release notes. The fix will only effect for the new file upload which sent to server after you've upgrade. For the old files, they are still there.

Thanks for the very quick response :-)

Ok, that was good news.

We will install the 4.7 version of Forms as soon as possible!

I know this thread is old, but I am facing the same issue, and looking for how to secure the uploaded files from visitors.

Dac, can you please point me to any user guide or instructions for how to do this?  We have EPiServer.CMS 11.18.1 and EPiServer.Forms 4.29.3.

Thanks! 

I had the exact opposite problem, and wrote this blogpost:
https://www.gulla.net/no/blog/episerver-forms-public-access-to-uploaded-files/

Maybe you can reverse it? I.e. restricting the access rights for the upload folder?

Thank you, Tomas!  This at least gives me a way to see what the access rights are for the "Uploaded Files" folders.  And it might even help me figure out how they got set the way they did.

Since EditSecurity.aspx changed with CMS-12, I went with a code solution to another role on publish of the file upload element.

Here's a bit of it for reference:

    public class FileUploadFolderService
    {
        private readonly IContentRepository _contentRepository;
        private readonly IContentSecurityRepository _securityRepository;
        private readonly ContentAssetHelper _contentAssetHelper;

        public FileUploadFolderService(IContentRepository contentRepository, IContentSecurityRepository securityRepository, ContentAssetHelper contentAssetHelper)
        {
            _contentRepository = contentRepository;
            _securityRepository = securityRepository;
            _contentAssetHelper = contentAssetHelper;
        }

        public ContentReference GetOrCreateFileUploadFolder(IContent content)
        {
            var assetFolder = _contentAssetHelper.GetOrCreateAssetFolder(content.ContentLink);
            var children = _contentRepository.GetChildren<ContentFolder>(assetFolder.ContentLink);
            var folder = children.FirstOrDefault(e => e.Name.Equals(Constants.FileUploadFolderName));
            if (folder != null)
                return folder.ContentLink;

            folder = _contentRepository.GetDefault<ContentFolder>(assetFolder.ContentLink);
            folder.Name = Constants.FileUploadFolderName;

            return _contentRepository.Save(folder, SaveAction.Publish, AccessLevel.NoAccess);
        }

        public void SetFolderAccess(ContentReference contentReference)
        {
            var contentSecurityDescriptor = new ContentAccessControlList();
            contentSecurityDescriptor.AddEntry(new AccessControlEntry(Roles.Administrators, AccessLevel.FullAccess, SecurityEntityType.Role));
            contentSecurityDescriptor.AddEntry(new AccessControlEntry(Roles.WebAdmins, AccessLevel.FullAccess, SecurityEntityType.Role));
            // Additional read role - set to whatever desired
            contentSecurityDescriptor.AddEntry(new AccessControlEntry("Authenticated", AccessLevel.Read, SecurityEntityType.Role));

            _securityRepository.Save(contentReference, contentSecurityDescriptor, SecuritySaveType.Replace);
        }
    }

    [InitializableModule]
    [ModuleDependency(typeof(InitializationModule))]
    public class FileUploadInitializationModule : IInitializableModule {
        public void Initialize(InitializationEngine context) {
            var contentEvents = context.Locate.ContentEvents();
            contentEvents.PublishedContent += ContentEvents_PublishedContent;
        }

        public void Uninitialize(InitializationEngine context) {
            var contentEvents = context.Locate.ContentEvents();
            contentEvents.PublishedContent -= ContentEvents_PublishedContent;
        }

        private void ContentEvents_PublishedContent(object sender, ContentEventArgs args) {
            if (args.Content is FileUploadElementBlock) {
                var service = ServiceLocator.Current.GetInstance<FileUploadFolderService>();
                var contentRefenence = service.GetOrCreateFileUploadFolder(args.Content);
                service.SetFolderAccess(contentRefenence);
            }
        }
    }

I need oppposite solution. We use Episerver.Forms 5.3.1 and CMS12. The uploaded files folder should have public access rights: everyone (not only visible for logged users) should open and read the uploaded file. So is the code included by Matthew Jimenez the only solution? Maybe it might be done in similar way like in the previous version of CMS: link?

Whatever you do, make sure the documents are not available in the public search of your website. If that's not intended.