On 09/01/06, Andreas Gohr <andi@xxxxxxxxxxxxxx> wrote: > The whole thing works as intended. Only the string wikiname is a little > bit misleading. The wikiname is a new filename in reality and this > filename is checked for the correct extension. This is to prevent for > example uploading files with the extension .php and thus creating a > possibility to inject your own code by uploading a file. Imagine > uploading a file test.txt but naming it test.php - if DokuWiki would > check original file extension it would allow the upload but save it with > a php extension which (under some circumstances) could be executed > through apache. So "wikiname" just means "filename with correct > extension and specialchars removed". Maybe this should be made clear in > the docs. Hm... But that would also allow people to upload a wmf file and name it gif (yeah, it is kind a joke). Shouldn't the original name checked? I mean, if you block php files but not txt files and upload a php file with txt extension, apache would not process it (as it didn't have the correct extension). [I'm not trying to push my point, I could have fixed it myself -- and, right now, I'm uploading files with the suggested wikiname -- I just want to explore the posibilities.] -- Julio Biason <julio.biason@xxxxxxxxx> -- DokuWiki mailing list - more info at http://wiki.splitbrain.org/wiki:mailinglist