PmWiki upload.phpWeb upload wiki( )wiki

security?

PmWiki takes a somewhat, but justifiable, paranoid stance when it comes to the uploads feature. Thus, the default settings for uploads tend to try to restrict the feature as much as possible:

• ,
• ,
• , , , ().
• 50K

Web upload.php wiki administrators

, config.php :

 keep older versions 

 configure PmWiki

upload.php stdconfig.php $EnableUpload config.php config.php $UploadDir and $UploadUrlFmt , $UploadDir and $UploadUrlFmt uploads/ pmwiki.php) config.php ( PasswordsAdmin?).

config.php

<?php if (!defined('PmWiki')) exit();
##  Enable uploads and set a site-wide default upload password.
$EnableUpload = 1;
$DefaultPasswords['upload'] = crypt('secret');

 $DefaultPasswords['upload']config.php  $HandleAuth['upload'] = 'edit'; .

:

 URL:

$UploadDir = "/home/foobar/public_html/uploads";
$UploadUrlFmt = "http://example.com/~foobar/uploads";

Upload directory configuration

Uploads can be configured site-wide, by-group (default), or by-page by changing $UploadPrefixFmt in config.php. This determines whether all uploads go in one directory for the site, an individual directory for each group, or an individual directory for each page. The default is to organize upload by group.
$UploadPrefixFmt config.php wikigroups

For site-wide uploads, use

To organize uploads by page, use:

 $UploadDir Webpublic_html)PmWiki  (it differs from one server to the next). Note that you are likely to be required to explicitly create writable group- or page-specific subdirectories as well!

PmWiki URL "?action=upload" ( PasswordsPasswordsAdmingroups?)

 "Attach:filename.ext"  filename.ext'?-link'') ( Uploads

PmWiki $UploadPrefixFmt Cookbook:UploadGroups

PmWiki$EnableUploadVersions=1;

groups

Uploads can be enabled only for specific groups or pages by using a group customization?. Simply set $EnableUpload=1; for those groups or pages where uploading is to be enabled; alternately, set $EnableUpload=1; in the config.php file and then set $EnableUpload=0; in the per-group or per-page customization files where uploads are to be disabled.

Restricting total upload size for a group or the whole wiki

Uploads can be restricted to an overall size limit for groups. In the group configuration file (i.e., local/Group.php), add the line

This will limit the total size of uploads for that group to 1000KB --any upload that pushes the total over the limit will be rejected with an error message. This value defaults to zero (unlimited).

Uploads can also be restricted to an overall size limit for all uploads. Add the line

This will limit the total size of uploads for the whole wiki to 10000KB --any upload that pushes the total over the limit will be rejected with an error message. This value defaults to zero (unlimited).

The upload script performs a number of verifications on an uploaded file before storing it in the upload directory. The basic verifications are described below.

the name for the uploaded file can contain only letters, digits, underscores, hyphens, spaces, and periods, and the name must begin and end with a letter or digit.

only files with approved extensions such as ".gif", ".jpeg", ".doc", etc. are allowed to be uploaded to the web server. This is vitally important for server security, since the web server might attempt to execute or specially process files with extensions like ".php", ".cgi", etc.

50K bytes, $UploadMaxSize 100KB, config.php $UploadMaxSize :

. ".gif" ".jpeg" 20K, ".doc" 200K, $UploadMaxSize$UploadExtSize (in bytes) :

Setting an entry to zero disables file uploads of that type altogether:

$UploadExtSize['zip'] = 0;  # disallow .zip files
$UploadExtSize[''] = 0;     # disallow files with no extension

You can limit which types of files are uploadable by disabling all defaults and specifying only desired types Setting the variable $UploadMax to zero will disable all default file types. Individual file types may then be enabled by setting their maximum size with the variable $UploadExtSize.

# turns off all upload extensions
$UploadMaxSize = 0;

# enable only these file types for uploading
$aSize=100000; // 100 KB file size limitation
$UploadExtSize['jpg' ] = $aSize;
$UploadExtSize['gif' ] = $aSize;
$UploadExtSize['png' ] = $aSize;

Adding new file types to permitted uploads

To add a new extension to the list of allowed upload types, add a line like the following to a local customization? file:

where ext is the extension to be added, and content-type is the "MIME type", or content-type (which you may find here or on the lower part of this page) to be used for files with that extension. For example, to add the 'dxf' extension with a Content-Type of 'image/x-dxf', place the line

Each entry in $UploadExts needs to be the extension and the mime-type associated with that extension, thus:

$UploadExts = array(
  'gif' => 'image/gif',
  'jpeg' => 'image/jpeg',
  'jpg' => 'image/jpeg',
  'png' => 'image/png',
  'xxx' => 'yyyy/zzz'
);

For the types that PmWiki already knows about it's not necessary to repeat them here (the upload.php script adds PmWiki's defaults to whatever the administrator supplies). See also Cookbook:UploadTypes for additional types.

Other file size limits

There are other factors involved that affect upload file sizes. In Apache 2.0, there is a `LimitRequestBody directive that controls the maximum size of anything that is posted (including file uploads). Apache has this defaulted to unlimited size. However, some Linux distributions (e.g., Red Hat Linux) limit postings to 512K so this may need o be changed or increased. (Normally these settings are in an httpd.conf configuration file or in a file in /etc/httpd/conf.d.)

Problem noted on Red Hat 8.0/9.0 with Apache 2.0.x, the error "Requested content-length of 670955 is larger than the configured limit of 524288" was occurring under Apache and a "Page not found" would appear in the browser. Trying the above settings made no change with PHP, but on Red Hat 8.0/9.0 there is an additional PHP config file, /etc/httpd/conf.d/php.conf, and increasing the number on the line "LimitRequestBody 524288" solves the issue.

PHP itself has two limits on file uploads (usually located in /etc/php.ini). The first is the upload_max_filesize parameter, which is set to 2MB by default. The second is post_max_size, which is set to 6MB by default.

With the variables in place--PmWiki's maximum file size, Apache's request-size limits, and the PHP file size parameters, the maximum uploaded file size will be the smallest of the three variables.

Password protecting uploaded files

Setting a read password for pages (and groups) will prevent an attached file from being seen or accessed through the page, but to prevent direct access to the file location (the uploads/ directory) one can do the following:

• In local/config.php set $EnableDirectDownload=0;
• If you use per-group upload directories (PmWiki default, see $UploadPrefixFmt), add to config.php $EnableUploadGroupAuth = 1;
• Deny public access to the uploads/ directory through moving it out of the html/ or public_html/ directory tree, or through a .htaccess file.

See Cookbook:Secure attachments

• PHP php.ini ( /etc/php.ini /usr/local/lib/php.ini )

• php.ini upload_tmp_dir

httpd config.php $EnableDiag 1 URL

?action=phpinfo

"file_uploads" 1 ( "no value" )

$UploadExtSize['zip'] = 0;  # Disallow uploading .zip files
$UploadExtSize[''] = 0;     # Disallow files with no extension

   $UploadDirQuota = 100*1024;         # limit uploads to 100KiB
   $UploadDirQuota = 1000*1024;        # limit uploads to 1000KiB
   $UploadDirQuota = 1024*1024;        # limit uploads to 1MiB
   $UploadDirQuota = 25*1024*1024;     # limit uploads to 25MiB
   $UploadDirQuota = 2*1024*1024*1024; # limit uploads to 2GiB

upload_max_filesize = 8M

php_value post_max_size 63M
php_value upload_max_filesize 62M
php_value memory_limit 64M
php_value max_execution_time 600
php_value default_socket_timeout 600