• I am reporting a security issue with the form file uploads. When a user uploads a file through a form, the file is stored in the doc lib, but the file is not cleaned up when the user decides to upload another file; this allows for a potential DDOS attack.

Reproduction Steps:

1. Start 2024.q3.13

2. Go to Content & Data --> Forms and add a Form.

3. Add to the Form an Upload field, enable the option "Allow Guest Users to Send Files", and publish the form.

4. Edit the Home page, add a Form widget, configure it to display the created form, and publish the page.

5. Copy a jpg file and name it `test-jpg.jpg`

6. Copy a pdf file and name it `test-pdf.pdf`

7. Log out of the instance.

8. As a guest user select the file `test-jpg.jpg` for the upload form (do not submit the form)

• Liferay uploads the file
  Select the `test-pdf.pdf`
  Liferay uploads the file
  Select the `test-jpg.jpg`
  Liferay uploads the file.

Actual Result: The file test-jpg.jpg is now named test-jpg (1).jpg. The above situation allows a malicious user to upload files continuously and eventually fill up the disk space, thereby causing a denial of service.

Expected Result: The uploaded file is not uploaded as multiple versions of the same existing file.

• Liferay Quarterly Release 2024.q3.13

• The issue is fixed by LPD-48341. Please request a hotfix.

• Liferay Form guest user file upload does not check the mime type
• Unauthenticated users can access loaded files via URL before submitting the form