[dokuwiki] Re: Problem uploading files

  • From: Andreas Gohr <andi@xxxxxxxxxxxxxx>
  • To: dokuwiki@xxxxxxxxxxxxx
  • Date: Mon, 9 Jan 2006 22:09:15 +0100

On Fri, 23 Dec 2005 15:59:41 +0000
Chris Smith <chris@xxxxxxxxxxxxx> wrote:

> > If I'm not mistaken, the solution is just change
> >
> >   $fn   = mediaFN($id);
> >
> > to
> >
> >   $fn   = mediaFN($_FILES["name"]);
> I see what you mean, I missed that before.  Perhaps you should file a 
> bug report (or post Andi a patch).  The whole restriction is kind of 
> odd, since there is no check done anywhere on the file contents, maybe
> it does make sense to have a restriction on what the wiki offers for 
> download to its visitors rather than what contributors are capable of 
> uploading.  The server can't be hurt by uploading (at least not if 
> permissions and .htaccess are set correctly) but potentially visitors 
> could be hurt by downloading an executable file. Under those 
> circumstances it does make sense to restrict the filenames used for 
> uploads.  I realise the message isn't configured that way and I don't 
> know what was in Andi's (or the author's) mind when they wrote that
> code...

The whole thing works as intended. Only the string wikiname is a little
bit misleading. The wikiname is a new filename in reality and this
filename is checked for the correct extension. This is to prevent for
example uploading files with the extension .php and thus creating a
possibility to inject your own code by uploading a file. Imagine
uploading a file test.txt but naming it test.php - if DokuWiki would
check original file extension it would allow the upload but save it with
a php extension which (under some circumstances) could be executed
through apache. So "wikiname" just means "filename with correct
extension and specialchars removed". Maybe this should be made clear in
the docs.


BTW: I'm back from my holidays but will need some time to go all my
mail... be patient ;-)

Other related posts: