How using shortcut links can lead to a leak in confidential files in SharePoint
I just had an issue with SharePoint Workspace 2010 that I think might be good to share with others so that they don’t encounter the same situation.
I recently started using SharePoint Workspace to interact with the document libraries on our SharePoint server. It is a nice interface for reading and editing files that are already on SharePoint. As you would expect to happen, I eventually wanted to add a (single) new document to the doc library.
I opened SharePoint Workspace and opened the doc library I was looking for. After navigating through the interface to the location where the new document belonged I clicked the Add Documents button in the ribbon.
Adding document in Sharepoint 2010 Workspace
Everything was working as expected so far. I saw the standard Add Files type dialog that we are all familiar with. I started at the C: drive and started working through the file system, looking for the file I wanted to upload. I double clicked to open a shortcut to a folder and…BAM!
The entire folder started uploading to SharePoint. No warning, no confirmation message…nothing. Files I had not intended to upload began appearing on the server.
I opened the Upload Center and tried to pause the uploads so I could delete them. They would not pause. Progress indicators all indicated that the uploads were progressing. So I tried to delete files from Upload Center. I could not. I could not multi-select the hundreds of files and attempts to delete single files from the Upload Center interface were unsuccessful. I ended up turning off my Wireless connection to stop the upload before I ended up with too many unintended files cluttering the document library.
I kept trying to pause the uploads with no success. So I rebooted (with the Wireless turned off). After I logged in I could see that the file uploads listed in Upload Center were now paused. I started trying to delete them. No love there, either.
I went into SharePoint Workspace and deleted my connections to the SharePoint server and then I was able to delete files from Upload Center. So I deleted a few files and looked at my Work Files folder to make sure they were not deleted there. They were not. So now I was ready to delete all of the files in the Upload Center cache.
Unfortunately, as I said a little earlier, you cannot multi-select files from Upload Center. You have to delete them one-by-one. With hundreds and hundreds of files to delete I decided that I would write a VBScript to cycle through them rather than spend a marathon session chipping…er, clicking…away at the problem.
Once all of the files were deleted I was able to reconnect SharePoint Workspace to all of the sites I had previously configured.
I uploaded the file by navigating through Explorer and doing a Copy & Paste of the desired file into SharePoint Workspace.
The moral of the story is that if you click the Add Documents button in SharePoint Workspace to add a file to a document library on a SharePoint server DO NOT navigate through a shortcut to a folder in your file system. Apparently SharePoint Workspace does not handle shortcuts like other applications, even other Office applications like Outlook.
Uploading files unexpectedly is annoying, but there is a potentially bigger issue. This is a security problem. It is possible that confidential documents could be uploaded into a document library where the audience with permissions to view that library may not be intended to view the documents uploaded in error. Looking at the screenshot below, one can see where a user may intend for the new list of employee phone extensions (as seen in the file system) to be uploaded to the server, but after having navigated through the shortcut in the Add Files dialog as shown earlier I ended up with everything, including the Sensitive Documents folder on the server. Now everyone has access, for example, to my company’s confidential HR information.
One can only hope that this issue is addressed, but until then users of SharePoint Workspace should be aware of this possibility.
