File Upload: Difference between revisions
adds ambox template |
m Text replacement - "<(\/?)source" to "<$1syntaxhighlight" |
||
| (One intermediate revision by one other user not shown) | |||
| Line 4: | Line 4: | ||
For PHP, you can check on the value of the '''<code>[http://us2.php.net/manual/en/ini.core.php post_max_size]</code>''' setting to be sure that the allowed size of an HTTP POST is congruent with your goals. In fact, the [http://phpsec.org/projects/phpsecinfo/tests/post_max_size.html PHP Security Consortium recommends] that you set a limit for post_max_size so that attackers are not permitted to "post bomb" your webserver. | For PHP, you can check on the value of the '''<code>[http://us2.php.net/manual/en/ini.core.php post_max_size]</code>''' setting to be sure that the allowed size of an HTTP POST is congruent with your goals. In fact, the [http://phpsec.org/projects/phpsecinfo/tests/post_max_size.html PHP Security Consortium recommends] that you set a limit for post_max_size so that attackers are not permitted to "post bomb" your webserver. | ||
< | <syntaxhighlight lang="bash"> | ||
# find all the php.ini files on your system and look at what they say | # find all the php.ini files on your system and look at what they say | ||
locate php.ini |xargs grep -i post_max | locate php.ini |xargs grep -i post_max | ||
# find the php.ini files that are used in the default location for (K)ubuntu/Debian | # find the php.ini files that are used in the default location for (K)ubuntu/Debian | ||
grep -ri post_max /etc/php5/ | grep -ri post_max /etc/php5/ | ||
</ | </syntaxhighlight> | ||
| Line 16: | Line 16: | ||
== Mediawiki == | == Mediawiki == | ||
=== Uploading Files === | === Uploading Files === | ||
To upload a file, you simply click on the navigation link in the 'toolbox' to "upload file". This link brings you to the upload form (which is a special page in the wiki). Instructions are provided in the form, and it's as straightforward as selecting a file from your local system that you wish to upload. | To upload a file, you simply click on the navigation link in the 'toolbox' to "upload file". This link brings you to the upload form (which is a special page in the wiki). Instructions are provided in the form, and it's as straightforward as selecting a file from your local system that you wish to upload. More help is available at the meta site [[MetaWikiPedia:Help:Images_and_other_uploaded_files|Help:Images and other uploaded files]] | ||
=== Configuration === | === Configuration === | ||
In the mediawiki software, uploads are controlled by several [http://www.mediawiki.org/wiki/Manual:Configuration_settings settings] <!-- [[manual:Configuration_settings settings]] --> in the 'LocalSettings.php' file. [http://meta.wikimedia.org/wiki/Help:Images_and_other_uploaded_files The documentation] refers to 'images' however all types of files may be uploaded depending on how you configure your installation. | In the mediawiki software, uploads are controlled by several [http://www.mediawiki.org/wiki/Manual:Configuration_settings settings] <!-- [[manual:Configuration_settings settings]] --> in the 'LocalSettings.php' file. [http://meta.wikimedia.org/wiki/Help:Images_and_other_uploaded_files The documentation] refers to 'images' however all types of files may be uploaded depending on how you configure your installation. | ||
< | <syntaxhighlight lang="php"> | ||
## To enable image uploads, make sure the 'images' directory | ## To enable image uploads, make sure the 'images' directory | ||
## is writable, then set this to true: | ## is writable, then set this to true: | ||
| Line 29: | Line 29: | ||
$wgMimeDetectorCommand= "file -bi"; | $wgMimeDetectorCommand= "file -bi"; | ||
$wgVerifyMimeType = false; | $wgVerifyMimeType = false; | ||
</ | </syntaxhighlight> | ||
=== Allowed File Types === | === Allowed File Types === | ||
| Line 39: | Line 39: | ||
Here is a representative list that includes all the file types for OpenOffice (including templates), ogg and mp3 plus normal image file types, a few text and XML types. | Here is a representative list that includes all the file types for OpenOffice (including templates), ogg and mp3 plus normal image file types, a few text and XML types. | ||
< | <syntaxhighlight lang="php"> | ||
$wgFileExtensions = array(); | $wgFileExtensions = array(); | ||
$wgFileExtensions[] = gif; | $wgFileExtensions[] = gif; | ||
| Line 74: | Line 74: | ||
$wgFileExtensions[] = xsl; | $wgFileExtensions[] = xsl; | ||
$wgFileExtensions[] = xslt; | $wgFileExtensions[] = xslt; | ||
</ | </syntaxhighlight> | ||
== Technical Resources == | == Technical Resources == | ||
[http://us2.php.net/manual/en/features.file-upload.php Handling file uploads is covered in the PHP manual]. Note the 'PUT' support. The Amaya web authoring tool from the W3C uses PUT for uploading. HTTP PUT is distinct from regular POST file upload processing. | [http://us2.php.net/manual/en/features.file-upload.php Handling file uploads is covered in the PHP manual]. Note the 'PUT' support. The Amaya web authoring tool from the W3C uses PUT for uploading. HTTP PUT is distinct from regular POST file upload processing. | ||
Latest revision as of 13:30, 24 February 2025
PHP[edit]
In general, whenever you want to have a website allow users to upload files, you first want to check and set the web server to ensure that it's allowing file uploads, and that the constraints in the server match your application settings.
For PHP, you can check on the value of the post_max_size setting to be sure that the allowed size of an HTTP POST is congruent with your goals. In fact, the PHP Security Consortium recommends that you set a limit for post_max_size so that attackers are not permitted to "post bomb" your webserver.
# find all the php.ini files on your system and look at what they say
locate php.ini |xargs grep -i post_max
# find the php.ini files that are used in the default location for (K)ubuntu/Debian
grep -ri post_max /etc/php5/
Mediawiki[edit]
Uploading Files[edit]
To upload a file, you simply click on the navigation link in the 'toolbox' to "upload file". This link brings you to the upload form (which is a special page in the wiki). Instructions are provided in the form, and it's as straightforward as selecting a file from your local system that you wish to upload. More help is available at the meta site Help:Images and other uploaded files
Configuration[edit]
In the mediawiki software, uploads are controlled by several settings in the 'LocalSettings.php' file. The documentation refers to 'images' however all types of files may be uploaded depending on how you configure your installation.
## To enable image uploads, make sure the 'images' directory
## is writable, then set this to true:
$wgEnableUploads = true;
/* Adding unlimited upload support */
$wgStrictFileExtensions = false;
$wgMimeDetectorCommand= "file -bi";
$wgVerifyMimeType = false;Allowed File Types[edit]
 |
This wiki does not allow users to upload any Microsoft file formats. In general, only open, standards-based file formats like those generated by OpenOffice are allowed. |
The system administrator can define what file types are allowed to be uploaded. In an internal environment, you can be pretty lax about what is allowed. However, in a publicly accessible system, there are a number of issues with uploading certain content since it is then going to be either re-displayed, executed in some fashion by the system, or made available to other users.
Here is a representative list that includes all the file types for OpenOffice (including templates), ogg and mp3 plus normal image file types, a few text and XML types.
$wgFileExtensions = array();
$wgFileExtensions[] = gif;
$wgFileExtensions[] = ico;
$wgFileExtensions[] = jpeg;
$wgFileExtensions[] = jpg;
$wgFileExtensions[] = mp3;
$wgFileExtensions[] = odb;
$wgFileExtensions[] = odf;
$wgFileExtensions[] = odg;
$wgFileExtensions[] = odm;
$wgFileExtensions[] = odp;
$wgFileExtensions[] = ods;
$wgFileExtensions[] = odt;
$wgFileExtensions[] = ogg;
$wgFileExtensions[] = otg;
$wgFileExtensions[] = oth;
$wgFileExtensions[] = ots;
$wgFileExtensions[] = ott;
$wgFileExtensions[] = pdf;
$wgFileExtensions[] = png;
$wgFileExtensions[] = stc;
$wgFileExtensions[] = std;
$wgFileExtensions[] = sti;
$wgFileExtensions[] = stw;
$wgFileExtensions[] = swx;
$wgFileExtensions[] = sxc;
$wgFileExtensions[] = sxg;
$wgFileExtensions[] = sxi;
$wgFileExtensions[] = sxm;
$wgFileExtensions[] = txt;
$wgFileExtensions[] = xml;
$wgFileExtensions[] = xsd;
$wgFileExtensions[] = xsl;
$wgFileExtensions[] = xslt;Technical Resources[edit]
Handling file uploads is covered in the PHP manual. Note the 'PUT' support. The Amaya web authoring tool from the W3C uses PUT for uploading. HTTP PUT is distinct from regular POST file upload processing.
