FoF Upload has no spam protection how do I prevent spam?

Dwelled

Hi, I’m new to Flarum, and I’m creating a forum. I want my users to be able to upload files via the fof/upload extension, but I’ve noticed that as soon as an image is uploaded, it is instantly saved permanently on my server in the flarum/public/assets/files/current-date directory. This happens even if the user DOES NOT use this file in post, so I don’t think any anti-spam extension has any effect.

In fact, it seems very easy to create a bot to mass-upload the same file and overload a server. This means that one person could potentially upload hundreds of gigabytes to my forum in a single day. Is there any fix for this?

I even tested it on this forum to see if anything would prevent me from doing that, and there isn’t. I successfully uploaded about 20 images without any problems. You can even use the same file repeatedly, and it will still save each one internally as a separate image.

I’m not sure if this is the right place to discuss this, but does any fix exist, or did I just discover an exploit?
By the way, you might want to disable your fof/upload extension if this behavior wasn’t intended.

Is this intended behavior, or am I missing something?

KBExit

Dwelled you can use the map command and delete images that aren't used.

Dwelled

KBExit

how does that fix anything if someone can upload more gb per day form one computer than I have memory in my server.
like sure I could run a cron job to delete unused images every day but thats not often enough if there is a server constantly atakcing my server and if I run it like every hour then some users will lose the images they uplaoded when making a post. I thoght that maybe there is a more elegant solution. and also what if the person does post those images and just sends a post with 100 images for some reason no spam prevention system seems to detect that a post with 100 images is a spam post. Is there a way to limit the images per post? this seems very easy to exploit

KBExit

Dwelled if you don't trust your users, can you create a separate user group and only allow uploads from that group.
You can also utilize object storage so you're not having to hit a hard limit with your hosting provider.
Additionally, can you implement anti spam measures during registration to curb this and if you use Cloudflare, you can increase protections against bot attacks.

Dwelled

KBExit

Thanks for all the help, it's very appreciated.
Yes, I do actually use Cloudflare for my forum. Do you know by any chance which exact settings I can turn on to prevent bot attacks in Cloudflare?
Also, I think the best current solution is a combination of register/login captcha and a verified user rank. I can also enable uploads for everybody but have a verified rank ready so I can turn uploads on only for verified users in case of an attack. But this relies on me being able to ban users abusing the system. Is there any way to know who uploaded a file like that if it's not even in any post?
This still seems like a janky workaround but it can make attacks harder.

For example, here is my upload:
https://cdn.discuss.flarum.org/2026-03-13/1773430819-962723-thumb-1920-658610-4219665980.jpg
Can an admin tell I uploaded that image?

GreXXL

Dwelled of course you can. All uploads are linked to a user profile: https://discuss.flarum.org/u/Dwelled/uploads

By the way - please follow our guidelines and don’t spam this forum.

Dwelled

GreXXL

ok but that only works if I know the user first what if I don't know who is spamming the forum? I don't know how do I find a user from a file he uploaded without manually checking every user since the users admin tab doesn't show the amount of uploads and you don't have to make any posts to upload files.
so the question is can I see the user who uploaded the file somehow like form a file on my server, image link or some entry in the database or some other way.

btw. I didn't want to spam the forum I was just checking if you have any protection against that so I could do the same but there are none here.

Dwelled

GreXXL

Ok I have found fof_upload_files in the database and there I can see the actor_id witch seems to corespond to the ID numbers in the users tab in the admin panel correct me im im wrong

ok I think that gives me something to protect against this but this seems like a very complex patch the solution is basicaly a combination of:
Captcha protection
Custom cron scripts
Custom user roles for uploads
Linux quota limits
Manually searching for spam by checking the file directory and the database entries
Manual bans
Manual file and post deletion

Very janky and manual but does make it hard to break a server by just uplaoding files.

I feel like the upload extension could be better and not have me use all of those workarounds for protection honestly expected something more from the most popular flarum extension

KBExit

Dwelled well, the purpose of the extension is to "upload" and it does a damn good job of that.

I do recommend Cloudflare Turnstile to assist with anti spam

Dwelled

KBExit
yeah a bit too good of a job when anybody can easily overload the server.
I mean its a good extension works very well just not protected against people who want to take down the server

Chat gpt could write a simple bash script to do that here and I could see if anybody comes up with a good fix (joke)

but then this forum would probably just turn off file uploads or allow them only for a certain rank witch is not ideal

Dwelled

KBExit

KBExit I do recommend Cloudflare Turnstile to assist with anti spam

I assume you mean the Cloudflare Turnstile as a flarum extension right?

KBExit

Dwelled yes with the API key.
But amongst the sites I host, I have not witnessed a bot attack with uploads.

Dwelled

KBExit

I feel like if there was an attack there would be a fix maybe I should change that? lol

KBExit

Dwelled what do you mean? 😅

GreXXL

I understand what you mean but this is not something that can be addressed in FoF/upload. There are other means to use up a forums resources like posting and causing notifications. Like @KBExit mentioned there are good ways to battle spam and if you only want to allow trusted members to upload you can easily do that via permissions.

Dwelled

GreXXL
Using up a forum’s resources through posting would be way slower and ineffective because it can be seen easily and there are extensions to prevent that. Unlike uploading files without making any posts, that also uses up way more resources, potentially hundreds of GB storage per day from just one user. and there is no good way to prevent that.

I'm not a Flarum plugin dev so I don't really know how they work, but I thought it could be fixed by either:

allowing you to set an upload limit per user per day, e.g. 5 uploads per day or 100 MB per day
not storing the uploaded files permanently, instead deleting them if they are not in any post within like 30 minutes of the files being uploaded

And I don't think I can solve that with a cron job running every 30 minutes clearing all unused files, since that could also potentially delete a file that was just uploaded if the timings aligned between the file clear cron job and the user just uploaded an image and hasn't posted it yet.

Also I want all of my users to be able to upload images since it's a very useful forum feature. It literally is allowed here in this forum for every user for this reason, so I don't want to limit that.

If you really want I can demonstrate it by creating a simple bash script to flood this server since there is no limit to how many files I can upload and you probably wouldn't even notice unless there is some sort of alert system like amazon s3 alerts telling you that you are close to the limit if you set one.

Dwelled

GreXXL

I just realized that actually this can be a cron job since you can make it delete every unused file thats older x time old like this:
php flarum fof:upload --map --cleanup --cleanup-before="1 hour ago" --force

Sorry should have just read the documentaion but I still feel like this should be done by deafiult or something that I can just set in the extension settings.