PmWiki /
UploadsAdmin
PmWiki has a feature script called Some notes about security
$EnableUploadOverwrite = 0; Basic installationThe upload.php script is automatically included from stdconfig.php if the Thus, a basic config.php for uploads might look like: <?php Important: do NOT create the uploads directory yet! See the next paragraph. The upload directoryFor the upload feature to work properly, the directory given by $UploadDir must be writable by the web server process, and it must be in a location that is accessible to the web somewhere (e.g., in a subdirectory of public_html). Executing PmWiki with uploads enabled will prompt you with the set of steps required to create the uploads directory on your server (it differs from one server to the next). Uploading a fileOnce the upload feature is enabled, users can access the upload form by adding " Another way to access the upload form to insert the markup " By default, PmWiki will organize the uploaded files into separate subdirectories for each group. This can be changed by modifying the Restricting uploaded files for groups and pagesUploads can be enabled only for specific groups or pages by using a per group customization. Simply set Restricting uploaded files type and sizeThe upload script performs a number of verifications on an uploaded file before storing it in the upload directory. The basic verifications are described below.
$UploadMaxSize = 100000; However, maximum file sizes can also be specified for each type of file uploaded. Thus, an administrator can restrict " $UploadExtSize['gif'] = 20000; # limit .gif files to 20K Setting an entry to zero disables file uploads of that type altogether: $UploadExtSize['zip'] = 0; # disallow .zip files Adding new filetypes to permitted uploadsTo add a new extension to the list of allowed upload types, add a line like the following to a local customization file: $UploadExts['ext'] = 'content-type'; where ext is the extension to be added, and content-type is the content-type (MIME type) to be used for files with that extension. For example, to add the ' $UploadExts['dxf'] = 'image/x-dxf'; Other file size limitsThere are other factors involved that affect upload file sizes. In Apache 2.0, there is a LimitRequestBody directive that controls the maximum size of anything that is posted (including file uploads). Apache has this defaulted to unlimited size. However, some Linux distributions (e.g., Red Hat Linux) limit postings to 512K so this may need to be changed or increased. (Normally these settings are in an httpd.conf configuration file or in a file in /etc/httpd/conf.d.) Problem noted on Red Hat 8.0/9.0 with Apache 2.0.x, the error "Requested content-length of 670955 is larger than the configured limit of 524288" was occuring under Apache and a "Page not found" would appear in the browser. Trying the above settings made no change with PHP, but on Red Hat 8.0/9.0 there is an additional PHP config file, /etc/httpd/conf.d/php.conf, and increasing the number on the line "LimitRequestBody 524288" solves the issue. PHP itself has two limits on file uploads (usually located in /etc/php.ini). The first is the With the variables in place--PmWiki's maximum file size, Apache's request-size limits, and the PHP file size parameters, the maximum uploaded file size will be the smallest of the three variables. Password protecting uploaded filesSetting a read password for pages (and groups) will prevent an attached file to be seen or accessed through the page, but to prevent direct access to the file location (the uploads/ directory) one can do the following:
See Cookbook:SecureAttachments. Other notes
file_uploads = On Note that if you change this value, httpd must generally be restarted. Another way to check if uploads are allowed by the server is to set $EnableDiag to 1 in config.php, and set ?action=phpinfo on a URL. The " Each entry in $UploadExts needs to be the extension and the mime-type associated with that extension, thus: $UploadExts = array( 'gif' => 'image/gif', 'jpeg' => 'image/jpeg', 'jpg' => 'image/jpeg', 'png' => 'image/png', # ... ) For the types that PmWiki already knows about it's not necessary to repeat them here (the upload.php script adds PmWiki's defaults to whatever the admin supplies). << Passwords administration | DocumentationIndex | Internationalizations >> |