The filenames are intentionally obfuscated. The simplest workaround would be to send yourself a basic or detailed notification email and click on the "view response" link. From there you can download the file.

alexgarciac wrote: I can only find out the content of the file in my mac because preview is smart enough as to convert what ever it is and display it. but in windows I just cant find out how to determine the type of file

To find out the type of files you might try some of these tools:
www.raymond.cc/blog/what-file-is-that-ho...es-types-and-format/

A obfuscation with filetypesuffix in cleartext wouldn't raise the risk of file exposure to third parties that much.
At least not for direct access via URL/path

PS : this file upload question type must be really rewrited for
- Save file elsewhere on the disk (with a cleaner file name, but out of web access)
or
- Save file in DB

I also find it strange that it seems so complicated to get to these uploaded files. I mean, security of the files is important, but if it is so complicated (never used this question type, I only see the confusion on the forum), then this question type is basically useless for most users, because they don't know how to get to their files.

@holch : currently : we are unsure user have access to a directory out of web. This system is used with very important thing sometimes ( CV/ Contract / id card etc ...) then we must NOT show it publicly.

Like i put in the report : i think there are only 2 ways to have a clean upload file system
- Save in DB only : it's more difficult to find it ...
- Save on the server out of web server : need configuration

If anyone are interested by a plugin : 'moveFileUploadToDir' when survey is submitted : i can make an offer.

The obfuscation is OK.

The issues around fileuploads storage are always:

1.) Preventing access via guessing a direct link to the file. E.g. when the pattern of the files is widely known.
2.) Prevent access when PHP is not working (correctly). E.g. php code will be displayed in the browser.
3.) Prevent access when Webserver is not working (correctly). E.g. htaccess no longer working.
4.) Make is easy to download file for survey admin.

For me the biggest issue with the current file upload question is the lacking of removing the files when deleting the survey and the database. The whole application gives the user the impression that the uploaded files are gone too.
The uploaded files stay on the server.

An option to config the upload path would be a good idea. That will allow people to move the storage location outside the webroot. Most people won't change it. But security gets improved. Same should be done with the databasebackup during the comfortupdate. These are also at risk of getting downloaded.

BTW: I always wonder why people use LimeSurvey for creating online-forms. Even the simplest address form looks strange with LS (E.g. too much space between the text inputs. No free positioning of fields.)
In public surveys the upload question is not that commonly used.

jelo wrote: ....
For me the biggest issue with the current file upload question is the lacking of removing the files when deleting the survey and the database. The whole application gives the user the impression that the uploaded files are gone too.
The uploaded files stay on the server.
....

BUT !

I think upload/survey/XXXX/ directory are deleted when delete a survey, it's not true ? Really a bug here ....

There are code for deleting files when you delete one response : github.com/LimeSurvey/LimeSurvey/blob/ma...els/Response.php#L14

DenisChenu wrote: I think upload/survey/XXXX/ directory are deleted when delete a survey, it's not true ? Really a bug here ....

There are code for deleting files when you delete one response : github.com/LimeSurvey/LimeSurvey/blob/ma...els/Response.php#L14

I only use LTS. You describe two situations:

1.) Deleting survey
2.) Deleting one response.

The most common scenario is just deactivating the survey and than from time to time doing a "check data integrity".
In that scenario the uploaded files stayed on the server. You can say that is an intended behavior but I doubt many users differentiate between database and file-based responses.

Will check again, but in the last years I always deleted uploads by hand from the server after the survey was deactivated and responses where purged via "check data integrity".

LS should clearly separate deleting of survey (structure and assets) vs. deleting of responses (db and uploads).

OK, your right : deactivate survey don't delete already answers. But there are another problem if we delete file upload : if user reactivate survey and reload answer DB : the file was lost. In fact : deactivate survey don't really delete responses : make a backup ...

Files are deleted when 1 and 2 , not when deactivated.

New checkbox when deactivate ????

DenisChenu wrote: New checkbox when deactivate ????

Not sure yet.

To delete everything when the survey is deleted is a clear concept.
Other tools use that as well, with the difference that you don't have the deactivation. You have pause and can edit the survey during the collection.
LS wording when deactivating is

All responses are not accessible anymore with LimeSurvey. Your response table will be renamed to: ....

. So that is the truth. The upload question came later into the game. So perhaps adding a remark at this screen about uploads and the path will be quick fix to the situation.

Technically I would prefer a export routine, which moves the database and the files to a folder, when the survey is deactivated. If the survey is reactivated the feature to reimport data is still possible. If the survey is deleted, all data is deleted.
Currently, if I reactivate the survey, but not reimport the old database the old uploads are still in the same folder as the new uploads.

The uploads are also not in the LSA export / import. Which is an issue from the user point of view. I understand the issues with the sizes. But from the user standpoint the uploads are part of the responses.

When we have QuestionObject : create an upload and save to DB fix this issue

Hello Denis and everybody,

As someone (or something like a google robot for indexing ) could reach directly the material in /upload/survey/{SID}/files,
by entering the url in a browser, if i am not misunderstanding (we had a discussion about that a few month ago in this forum) , how would you do to protect that with a simple system login/pwd passed in the url from a question that direct to a file in this folder ?

I did some research about placing the clips in a dropbox or something like that, but there is no way to get a link containing login/pwd that i can fill in limesurvey interface with source for reaching the clip. The only way i know is functioning like that : everytime a clip is reached from this content dropbox, the participant get a window inviting to manually enter the pwd, or to enter once and indicate to the browser to record it.

I mean, i will have a survey with short clips that would be uploaded in /files, my participants are informed that they do not have the right to share this material i have the right to use for this survey but i do not own; but someone else or google could reach and index this url. Could i password protect the/files folder and a subfolder in /files, putting somewhere in the limesurvey question the login/pwd ?

It will be visible for my participants only, and that would be the best solution for me because they sign an agreement about not sharing files, so if they see the login/pwd in the url that is not a problem, but it would be like i want, not accessible for someone else scrawling the repertoire ?

Many thanks,
Best,
Chris