aboutsummaryrefslogtreecommitdiff
path: root/doc/todo/fileupload/discussion.mdwn
blob: 01c0cc3fedeb3c26801104791624207ed64e5ce1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
 * Limits to size of files that can be uploaded. Prevent someone
   spamming the wiki with CD isos..

> CGI.pm has a limitation that you can't prevent someone uploading 
> something huge and filling up your server.
> However it is obviously possible to not actually put it in to the
> wiki if it's too large.
> Presumably there is also a way to limit the size of POST requests
> in the server.

* Limits to the type of files that can be uploaded. To prevent uploads of
  virii, css, raw html etc, and avoid file types that are not safe.
  Should default to excluding all files types, or at least all except
  a very limited set, and should be able to open it up to more types.

  Would checking for file extensions (.gif, .jpg) etc be enough? Some
  browsers are probably too smart for their own good and may ignore
  the extension / mime info and process as the actual detected file
  type. It may be necessary to use file to determine a file's true type.

> I think using the extension is too risky, and as much information as
> possible should go in to the decision. Saving the file to disk, then
> checking the type before using it seems like the best approach to me,
> as long as the file is deleted properly.

> Have you any thoughts on what the interface should be? I can see three
> options. First add a box to the file creation page that allows you
> to upload a file instead of the page. The second is an upload file
> link that asks for a page. The last would be an attachments system
> that e.g. Twiki use, where the file could be uploaded as a subpage.

> How about the limit setting etc.? Add it as a box on the admin's
> preference page, allow it anywhere using preprocessor directives,
> or have a configuration page that only the admin is allowed to edit
> (and perhaps people named on the page?)

> The syntax of the conditionals isn't too hard, as the things that
> are being added fit in nicely. It might be nice to allow plugins
> to register new functions for them, and provide callbacks to
> provide a yes no answer. I'm haven't looked at the code yet,
> are the pagespecs uniform in all places, or is the conditional
> usage an extended one? i.e. can I lock pages based on date etc?
> --[[JamesWestby]]