On Fri, 23 Dec 2005 15:59:41 +0000 Chris Smith <chris@xxxxxxxxxxxxx> wrote: > > If I'm not mistaken, the solution is just change > > > > $fn = mediaFN($id); > > > > to > > > > $fn = mediaFN($_FILES["name"]); > > I see what you mean, I missed that before. Perhaps you should file a > bug report (or post Andi a patch). The whole restriction is kind of > odd, since there is no check done anywhere on the file contents, maybe > it does make sense to have a restriction on what the wiki offers for > download to its visitors rather than what contributors are capable of > uploading. The server can't be hurt by uploading (at least not if > permissions and .htaccess are set correctly) but potentially visitors > could be hurt by downloading an executable file. Under those > circumstances it does make sense to restrict the filenames used for > uploads. I realise the message isn't configured that way and I don't > know what was in Andi's (or the author's) mind when they wrote that > code... The whole thing works as intended. Only the string wikiname is a little bit misleading. The wikiname is a new filename in reality and this filename is checked for the correct extension. This is to prevent for example uploading files with the extension .php and thus creating a possibility to inject your own code by uploading a file. Imagine uploading a file test.txt but naming it test.php - if DokuWiki would check original file extension it would allow the upload but save it with a php extension which (under some circumstances) could be executed through apache. So "wikiname" just means "filename with correct extension and specialchars removed". Maybe this should be made clear in the docs. Andi BTW: I'm back from my holidays but will need some time to go all my mail... be patient ;-)