KKnd   PmWikiZhCnUtf8 /
UploadsAdmin		 SearchWiki
PmWikiZhCnUtf8.最近改变
编辑页面
页面修正

PmWiki has a feature script called upload.php that allows users to upload files to the wiki server from a web browser. These files can then be easily accessed using markup within wiki pages. This page describes how to install and configure the upload feature.

PmWiki有一个允许用户用浏览器向wiki服务器上传文件的功能模块:upload.php 。这些(已上传) 的文件可以通过标识符访问。本页讲述的是如何装载和配置上传模块。

A note about security

安全提示

Keep in mind that letting users (anonymously!) upload files to your web server does entail some amount of risk. The upload.php script has been designed to reduce the hazards, but WikiAdministrators should be aware that the potential for vulnerabilities exist, and that misconfiguration of the upload utility could lead to unwanted consequences.

始终记住,让用户,尤其是匿名用户向服务器上传文件将会承担一定的风险。虽然upload.php模块尽力 去降低这种风险,但是,WikiAdministrators 要知道潜在的攻击弱点仍是存在的,并且对上传功能的 错误的配置会导致不可想象的结果。

Basic installation

The upload.php script is automatically included from stconfig.php if the $EnableUpload variable is true in local.php. In addition, local.php can set the $UploadDir and $UploadUrlFmt variables to specify the local directory where uploaded files should be stored, and the URL that can be used to access that directory. By default, $UploadDir and $UploadFmt assume that uploads will be stored in a directory called uploads within the current directory (usually the one containing pmwiki.php). In addition, local.php should also set a default upload password (see PasswordsAdmin).

Thus, a basic local.php configuration for uploads might look like: 

    <?php
      $EnableUpload = 1;
      $UploadDir = "/home/john/public_html/uploads";
      $UploadUrlFmt = "http://www.john.com/~john/uploads";
      $DefaultPasswords['upload'] = crypt('mysecret');
      ## more configuration entries here...
    ?>
For the upload feature to work properly, the directory given by $UploadDir must be writable by the web server process, and it must be in a location that is accessible to the web somewhere (e.g., in a subdirectory of public_html). The WikiAdministrator can either create the upload directory manually, or PmWiki will attempt to create the directory when it is run with the upload feature enabled. To have PmWiki automatically create the directory, (1) change the permissions of the parent directory to 2777, (2) execute PmWiki with the upload feature enabled, (3) verify that the upload directory is created, and (4) restore the parent directory's permissions to their previous value (755 is generally "safe").

For example, if the upload directory is going to be "/home/john/public_html/uploads", one would do "chmod 2777 /home/john/public_html", execute pmwiki.php, make sure that the upload directory was created ("ls /home/john/public_html"), and restore the permissions of the parent to normal ("chmod 755 /home/john/public_html").

Once the upload feature is enabled, users can access the upload form by adding "?action=upload" to the end of a normal PmWiki URL. The user will be prompted for an upload password similar to the way other pages ask for passwords (see Passwords and PasswordsAdmin for information about setting passwords on pages, groups, and the entire site).

Another way to access the upload form to insert the markup "Attach:filename.ext" into an existing page, where filename.ext is the name of a new file to be uploaded. When the page is displayed, a '?-link' will be added to the end of the markup to take the author to the upload page.

By default, PmWiki will organize the uploaded files into separate subdirectories for each group. This can be changed by modifying the $UploadPrefixFmt variable.

Restricting uploaded files

The upload.php script performs a number of verifications on an uploaded file before storing it in the upload directory. The basic verifications are described below.

filenames - the name for the uploaded file can contain only letters, digits, underscores, hyphens, and periods, and the name must begin and end with a letter or digit. The variable $UploadNamePattern controls the names for uploaded files.

file extension - only files with approved extensions such as ".gif", ".jpg", ".doc", etc. are allowed to be uploaded to the web server. This is vitally important for server security, since the web server might attempt to execute or specially process files with extensions like ".php", ".cgi", etc.

file size - By default upload.php limits all uploads to 50K bytes, as specified by the $UploadMaxSize variable. Thus, to limit all uploads to 100K, simply specify 

        $UploadMaxSize = 100000;
However, upload.php allows maximum file sizes to be specified for each type of file uploaded. Thus, an administrator can restrict ".gif" and ".jpeg" files to 20K, ".doc" files to 200K, and all others to the size given by $UploadMaxSize. The $UploadExtSize array is used to determine which file extensions are valid and the maximum upload size (in bytes) for each file type. For example: 
    $UploadExtSize['gif'] = 20000;       # limit .gif files to 20K
Setting an entry to zero disables file uploads of that type altogether: 
    $UploadExtSize['zip'] = 0;           # disallow .zip files
Another array called $UploadExts is used to fill $UploadExtSize with extensions that should be limited to $UploadMaxSize. By default $UploadExts has a number of popular (and "safe") file extensions in it, but this can be changed if the administrator wants to drastically limit the types of uploads. For example: 
    $UploadExts = array('gif','jpeg','jpg','png','ppt');  
    $UploadMaxSize = 20000;
    $UploadExtSize['ppt'] = 150000;
    $UploadExtSize['doc'] = 150000;
allows only GIF, JPEG, and PNG files up to 20K, PowerPoint and Word files up to 150K, and all other file types are refused.

There are two other factors involved that affect upload file sizes. In Apache 2.0, there is a LimitRequestBody directive that controls the maximum size of anything that is posted (including file uploads). Apache has this defaulted to unlimited size. However, some Linux distributions including Red Hat limit postings to 512K so this may need to be changed or increased.

PHP intself has two limits on file uploads. The first is the upload_max_filesize parameter, which is set to 2M by default. The second is post_max_size, which is set to 6M by default.

With the variables in place--PmWiki's maximum file size, and Linux' posting limits, and the PHP file size parameters, the maximum uploaded file size will be the smallest of the three variables.

TODO: finish documenting UploadsAdmin

Other notes

<< PasswordsAdmin | PmWikiZhCnUtf8.DocumentationIndex | MailPosts >>
编辑页面 - 页面修正 - WikiHelp - SearchWiki - 最近改变 - Printable Version
页面最后更新于 14 九月, 2003, 时间 17:55
©
copyleft by [email protected]
or
[email protected]