Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Critical
-
Resolution: Fixed/Completed
-
Affects Version/s: 3.2
-
Fix Version/s: 3.2.1
-
Component/s: CiviMember
-
Labels:None
Description
When an import runs it saves a file to the Drupal files/civicrm/upload directory. For most of these the file gets what appears to be an MD5 hash inserted into the fiel name, but is still guessable, to a degree, and easily seeable if an install is not running the default Drupal .htaccess (not all that unusual).
This is compounded dramatically by Import.errors, which DOES NOT get that hash.
Here is the civicrm Demo site releasing Personallly Identifiable Information itself, into an easily guessable namespace.
http://drupal.demo.civicrm.org/sites/drupal.demo.civicrm.org/files/civicrm/upload/sqlImport.errors
A best practice would remove the import original files after any import (successful or failed) as they exist on the users local machine, so this is non-destructive. Even better would be to keep them out of the filesystem altogether.
Import errors should probably be stored in the DB and a file created on the fly for privileged users if they need a csv output.
In my opinion, personally identifiable information just shouldn't be written to the filesystem ever.
Marked as critical because I can look at first last and email in a plaintext file on the demo site. Seems pretty critical to me.
Thanks for all your hard work, and let me know if I can provide more info or what is best next steps. I'm long time Drupal, but new to CiviCRM. Thanks.