blob: bac5ea5f35cca9596c56a7d4ddd333bba30f1ae3 [file] [log] [blame]
version=pmwiki-2.0.beta26
newline
time=1111873055
text=PmWiki has a feature script called @@upload.php@@ that allows users to upload files to the wiki server from a web browser. These files can then be easily accessed using markup within wiki pages. This page describes how to install and configure the upload feature.²²!!!Some notes about security²²# Keep in mind that letting users (anonymously!) upload files to your web server does entail some amount of risk. The @@upload.php@@ script has been designed to reduce the hazards, but [[WikiAdministrator]]s should be aware that the potential for vulnerabilities exist, and that misconfiguration of the upload utility could lead to unwanted consequences.²²# By default, authorized users are able to overwrite files that have already been uploaded, without the possibility of restoring the previous version of the file. If you want to disallow users from being able to overwrite files that have already been uploaded, add the following line to ''config.php'' $EnableUploadOverwrite = 0;²²!!!Basic installation²²The ''upload.php'' script is automatically included from ''stdconfig.php'' if the $EnableUpload variable is true in ''config.php''. In addition, ''config.php'' can set the $UploadDir and $UploadUrlFmt variables to specify the local directory where uploaded files should be stored, and the URL that can be used to access that directory. By default, $UploadDir and $UploadUrlFmt assume that uploads will be stored in a directory called ''uploads/'' within the current directory (usually the one containing ''pmwiki.php''). In addition, ''config.php'' should also set a default upload password (see PasswordsAdmin).²²Thus, a basic ''config.php'' for uploads might look like <?php² $EnableUpload = 1 $UploadDir = "/home/john/public_html/uploads" $UploadUrlFmt = [="http://www.john.com/~john/uploads";=]² $DefaultPasswords['upload'] = crypt('mysecret');² ## more configuration entries here...² ?>²!!!!The Upload directory²For the upload feature to work properly, the directory given by [=$UploadDir=] must be writable by the web server process, and it must be in a location that is accessible to the web somewhere (e.g., in a subdirectory of ''public_html''). Executing PmWiki with uploads enabled will prompt you with the set of steps required to create the uploads directory on your server (it differs from one server to the next).²²!!!!Uploading a file²Once the upload feature is enabled, users can access the upload form by adding "@@?action=upload@@" to the end of a normal PmWiki URL. The user will be prompted for an upload password similar to the way other pages ask for passwords (see [[Passwords]] and [[PasswordsAdmin]] for information about setting passwords on pages, groups, and the entire site).²²Another way to access the upload form to insert the markup "[@Attach:filename.ext@]" into an existing page, where @@filename.ext@@ is the name of a new file to be uploaded. When the page is displayed, a '?-link' will be added to the end of the markup to take the author to the upload page.²²By default, PmWiki will organize the uploaded files into separate subdirectories for each group. This can be changed by modifying the $UploadPrefixFmt variable. See Cookbook:UploadGroups for details.²²!!!Restricting uploaded files for groups and pages²²Uploads can be enabled only for specific groups or pages by using a [[per group customization(s)]]. Simply set @@$EnableUpload=1;@@ for those groups or pages where uploading is to be enabled; alternately, set @@$EnableUpload=1;@@ in the config.php file and then set @@$EnableUpload=0;@@ in the per-group or per-page customization files where uploads are to be disabled.²²!!!Restricting uploaded files type and size²²The upload script performs a number of verifications on an uploaded file before storing it in the upload directory. The basic verifications are described below.²:'''filenames''': the name for the uploaded file can contain only letters, digits, underscores, hyphens, spaces, and periods, and the name must begin and end with a letter or digit. ²:'''file extension''': only files with approved extensions such as "@@.gif@@", "@@.jpeg@@", "@@.doc@@", etc. are allowed to be uploaded to the web server. This is vitally important for server security, since the web server might attempt to execute or specially process files with extensions like "@@.php@@", "@@.cgi@@", etc. ²:'''file size''': By default all uploads are limited to 50K bytes, as specified by the $UploadMaxSize variable. Thus, to limit all uploads to 100K, simply specify a new value for $UploadMaxSize in ''config.php'':² $UploadMaxSize = 100000;²²However, maximum file sizes can also be specified for each type of file uploaded. Thus, an administrator can restrict "@@.gif@@" and "@@.jpeg@@" files to 20K, "@@.doc@@" files to 200K, and all others to the size given by $UploadMaxSize. The $UploadExtSize array is used to determine which file extensions are valid and the maximum upload size (in bytes) for each file type. For example:² $UploadExtSize['gif'] = 20000; # limit .gif files to 20K²²Setting an entry to zero disables file uploads of that type altogether:² $UploadExtSize['zip'] = 0; # disallow .zip files ²²!!!!Other file size limits²There are other factors involved that affect upload file sizes. In Apache 2.0, there is a `LimitRequestBody directive that controls the maximum size of anything that is posted (including file uploads). Apache has this defaulted to unlimited size. However, some Linux distributions (e.g., Red Hat Linux) limit postings to 512K so this may need to be changed or increased. (Normally these settings are in an ''httpd.conf'' configuration file or in a file in ''/etc/httpd/conf.d''.)²²PHP itself has two limits on file uploads. The first is the @@upload_max_filesize@@ parameter, which is set to 2M by default. The second is @@post_max_size@@, which is set to 6M by default.²²With the variables in place--PmWiki's maximum file size, Apache's request-size limits, and the PHP file size parameters, the maximum uploaded file size will be the smallest of the three variables. ²²''TODO: finish documenting UploadsAdmin''²²!!!Issues²²For optimal use of Cookbook/BibtexRef, the ability to upload "@@.bib@@" files is necessary. Can this be added to the list of permitted extensions? [RickL]²->%Pm% Can't the Cookbook/BibtexRef just add the permitted extension rather than requiring it in the core...? --[[~Pm]]²²!!!Other notes²²* Note that read access to uploaded files is not controlled by any of the page or group attributes--uploaded files are accessible even if pages are protected by read passwords.²²* If uploads doesn't seem to work, make sure that your PHP installation allows uploads. The ''php.ini'' file (usually ''/etc/php.ini'' or ''/usr/local/lib/php.ini'') should have ² file_uploads = On²²Note that if you change this value, httpd must generally be restarted. Another way to check if uploads are allowed by the server is to set $EnableDiag to 1 in ''config.php'', and set ?action=phpinfo on a URL. The "@@file_uploads@@" variable must have a value of 1 (if it says "@@no value@@", that means it's off).²²Category: [[!Uploads]]²²%trail%<<|PmWiki.DocumentationIndex|>>
targets=PmWiki.PmWiki,PmWiki.WikiAdministrator,PmWiki.PasswordsAdmin,PmWiki.Passwords,PmWiki.PerGroupCustomizations,PmWiki.UploadsAdmin,Cookbook.BibtexRef,PmWiki.RickL,Profiles.Pm,Category.Uploads,PmWiki.Internationalizations,PmWiki.DocumentationIndex
author=Pm
name=PmWiki.UploadsAdmin
host=24.1.28.47
agent=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2
rev=24