Codex

PmWiki 包括一個 upload.php腳本允許用戶使用Web瀏覽器 upload 文件到wiki服務器。上傳文件(也稱為 附件)可以很容易地訪問wiki頁面內使用的標記。本頁面描述了如何安裝和配置上傳功能。

關於 security?的注意事項:

PmWiki takes a somewhat, but justifiable, paranoid stance when it comes to the uploads feature. Thus, the default settings for uploads tend to try to restrict the feature as much as possible:

  • 上傳功能在默認情況下是關閉的
  • 即使啟用它, 默認設置還是有密碼保護
  • 即使您刪除了密碼, 上傳文件還是限制了一些檔案名稱、類形及大小
  • 上傳的附件名稱(默認)出現數字, 連字符, 下劃線, 點和空格為被限制類形(參見這裡).
  • 上傳的附件最大檔案大小(默認情況下是50K)

以上情況的潛在危險是有限的 除非維基管理員明確放寬了限制

請記住,讓用戶(匿名!)上傳文件到你的Web服務器會存在一些額外的風險。 upload.php 腳本設計,是減少危害, wiki administrators 應該知道潛在的安全漏洞會存在, 上傳工具設置錯誤可能導致不必要的後果。

預設情況下,被授權用戶可以覆寫已經上傳的文件,但不可以恢復以前的文件, 如果你想禁止用戶覆寫已經存在的文件,可在config.php添加以下行 :

$EnableUploadOverwrite = 0;

另外,管理員可以 keep older versions 的上傳

管理員還可以 configure PmWiki密碼機制,控制上傳文件的權限

基本安裝

upload.php 腳本已經自動包含在 stdconfig.php ,真正的 $EnableUpload 變數是在 config.php裏面。 config.php 可以設置 $UploadDir and $UploadUrlFmt 變量來指定本地目錄上傳文件應存放和網址,可用於訪問該目錄。 默認情況下, $UploadDir and $UploadUrlFmt 假設上傳將存儲在一個名為 uploads/ 的文件夾裏, 當前目錄(通常是一個包含 pmwiki.php)。此外, config.php 中也應設置一個默認的上傳密碼 (見 PasswordsAdmin?).

因此,一個基本設置上傳的config.php如下所示:

如果你有修改密碼,並希望允許所有用戶上傳與編輯的權利,而不是 $DefaultPasswords['upload'],您可以在config.php 中設置 $HandleAuth['upload'] = 'edit'; .

重要: 不要自行創建的上傳目錄!參見下一段。

您可能還需要設置文件系統目錄再進行上傳,並提供一個 URL對應到該目錄,如:

Upload directory configuration

Uploads can be configured site-wide, by-group (default), or by-page by changing $UploadPrefixFmt in config.php. This determines whether all uploads go in one directory for the site, an individual directory for each group, or an individual directory for each page. The default is to organize upload by group.
建議設置 $UploadPrefixFmt 變量盡量在 config.php 同一路徑的頁面,而不是在不同的組或頁面本地配置文件。否則你 無法鏈接到其他wikigroups附件。

單檔案上傳

For site-wide uploads, use

$UploadPrefixFmt = '';

單文件上傳

To organize uploads by page, use:

$UploadPrefixFmt = '/$Group/$Name';

上傳目錄

對於上傳功能能正常運作,該目錄 $UploadDir 必須為可寫入的Web服務器進程,它通常設置在網站一個可以訪問的位置(例如,在一個子目錄的public_html)。執行PmWiki與上傳啟用會提示你設置的步驟與要求,以創建您的服務器上傳目錄(它不同於一台服務器到下)。 注意,你可能需要顯式地創建可寫的組或頁面具體子目錄的! (it differs from one server to the next). Note that you are likely to be required to explicitly create writable group- or page-specific subdirectories as well!

上傳文件

一旦啟用上傳功能,用戶上傳形式可在加入正常PmWiki URL 後面加上"?action=upload"。用戶將被提示輸入密碼,上載的方式類似其他網頁要求輸入密碼 (見 PasswordsPasswordsAdmin?有關設置密碼在頁面、groups和整個網站的信息)。

另一種上傳方式是在表單插入標記 "Attach:filename.ext" 到一個現有的頁面。在這裡 filename.ext是名稱的一個新的文件進行上傳。當頁面顯示,'?-link'鏈接'將被添加到結束的標記以筆者的上傳頁面。) ( 語法的變化見Uploads

默認情況下,PmWiki將組織上傳文件到每個組獨立的子目錄。這可以修改 $UploadPrefixFmt變量。見 Cookbook:UploadGroups

上傳版本文件

PmWiki不管理版本上傳文件默認情況下。但是,通過設置$EnableUploadVersions=1; 管理員可以有舊版本的上傳保存在上傳目錄以及最新的版本。

上傳限制

限制上傳的文件、groups和網頁

Uploads can be enabled only for specific groups or pages by using a group customization?. Simply set $EnableUpload=1; for those groups or pages where uploading is to be enabled; alternately, set $EnableUpload=1; in the config.php file and then set $EnableUpload=0; in the per-group or per-page customization files where uploads are to be disabled.

Restricting total upload size for a group or the whole wiki

Uploads can be restricted to an overall size limit for groups. In the group configuration file (i.e., local/Group.php), add the line

$UploadPrefixQuota = 1000000; # limit group uploads to 1000KB (1MB)

This will limit the total size of uploads for that group to 1000KB --any upload that pushes the total over the limit will be rejected with an error message. This value defaults to zero (unlimited).

Uploads can also be restricted to an overall size limit for all uploads. Add the line

$UploadDirQuota = 10000000; # limit total uploads to 10000KB (10MB)

This will limit the total size of uploads for the whole wiki to 10000KB --any upload that pushes the total over the limit will be rejected with an error message. This value defaults to zero (unlimited).

限制上傳的文件類型和大小

The upload script performs a number of verifications on an uploaded file before storing it in the upload directory. The basic verifications are described below.

文件名
the name for the uploaded file can contain only letters, digits, underscores, hyphens, spaces, and periods, and the name must begin and end with a letter or digit.
文件擴展名
only files with approved extensions such as ".gif", ".jpeg", ".doc", etc. are allowed to be uploaded to the web server. This is vitally important for server security, since the web server might attempt to execute or specially process files with extensions like ".php", ".cgi", etc.
文件大小
默認情況下所有上傳被限制為 50K bytes, 作為指定的 $UploadMaxSize 變量。因此,將所有上傳限制到100KB, 只需在 config.php 指定一個新 $UploadMaxSize 值 :
$UploadMaxSize = 100000;

然而,文件大小限制也可以指定每種類型的上傳文件. 因此,管理員可以限制 ".gif" 及 ".jpeg" 類形文件至 20K, ".doc" 文件到 200K, 和所有其他的大小給予 $UploadMaxSize$UploadExtSize 數組用於確定哪些文件擴展名是有效的和最大上傳大小(in bytes) 為每個文件類型。例如:

$UploadExtSize['gif'] = 20000; # limit .gif files to 20KB

Setting an entry to zero disables file uploads of that type altogether:

You can limit which types of files are uploadable by disabling all defaults and specifying only desired types Setting the variable $UploadMax to zero will disable all default file types. Individual file types may then be enabled by setting their maximum size with the variable $UploadExtSize.

Adding new file types to permitted uploads

To add a new extension to the list of allowed upload types, add a line like the following to a local customization? file:

$UploadExts['ext'] = 'content-type';

where ext is the extension to be added, and content-type is the "MIME type", or content-type (which you may find here or on the lower part of this page) to be used for files with that extension. For example, to add the 'dxf' extension with a Content-Type of 'image/x-dxf', place the line

$UploadExts['dxf'] = 'image/x-dxf';

Each entry in $UploadExts needs to be the extension and the mime-type associated with that extension, thus:

For the types that PmWiki already knows about it's not necessary to repeat them here (the upload.php script adds PmWiki's defaults to whatever the administrator supplies). See also Cookbook:UploadTypes for additional types.

Other file size limits

There are other factors involved that affect upload file sizes. In Apache 2.0, there is a `LimitRequestBody directive that controls the maximum size of anything that is posted (including file uploads). Apache has this defaulted to unlimited size. However, some Linux distributions (e.g., Red Hat Linux) limit postings to 512K so this may need to be changed or increased. (Normally these settings are in an httpd.conf configuration file or in a file in /etc/httpd/conf.d.)

Problem noted on Red Hat 8.0/9.0 with Apache 2.0.x, the error "Requested content-length of 670955 is larger than the configured limit of 524288" was occurring under Apache and a "Page not found" would appear in the browser. Trying the above settings made no change with PHP, but on Red Hat 8.0/9.0 there is an additional PHP config file, /etc/httpd/conf.d/php.conf, and increasing the number on the line "LimitRequestBody 524288" solves the issue.

PHP itself has two limits on file uploads (usually located in /etc/php.ini). The first is the upload_max_filesize parameter, which is set to 2MB by default. The second is post_max_size, which is set to 6MB by default.

With the variables in place--PmWiki's maximum file size, Apache's request-size limits, and the PHP file size parameters, the maximum uploaded file size will be the smallest of the three variables.

Password protecting uploaded files

Setting a read password for pages (and groups) will prevent an attached file from being seen or accessed through the page, but to prevent direct access to the file location (the uploads/ directory) one can do the following:

  • In local/config.php set $EnableDirectDownload=0;
  • If you use per-group upload directories (PmWiki default, see $UploadPrefixFmt), add to config.php $EnableUploadGroupAuth = 1;
  • Deny public access to the uploads/ directory through moving it out of the html/ or public_html/ directory tree, or through a .htaccess file.

See Cookbook:Secure attachments

其它事項

  • 如果上傳功能無法使用,請確認您的PHP系統支援上傳功能:在 php.ini 檔案中 (通常在 /etc/php.ini/usr/local/lib/php.ini 的位置) 必須包含:
file_uploads = On
  • 另一個錯誤的原因是:在 php.ini 檔案中,未定義upload_tmp_dir。 例如:可將此變數設定為暫存資料夾,輸入:
upload_tmp_dir = /tmp

請注意,當您更改以上數值後,通常必須重新啟動httpd。另一個檢查的方法是設定 config.php檔案中, $EnableDiag 值為 1 。並在URL中輸入

?action=phpinfo

"file_uploads" 變數數值應該為1 (如果顯示 "no value" 則表示上傳關閉)。

如何禁用上傳某一類型的文件?

下面是一個例子,如何添加到您的 local/config.php 禁用上傳的 .zip 文件。或沒有擴展名的文件:

How do I attach uploads to individual pages or the entire site, instead of organizing them by wiki group??

Use the $UploadPrefixFmt variable (see also the Cookbook:UploadGroups recipe).

$UploadPrefixFmt = '/$FullName'; # per-page
$UploadPrefixFmt = ''; # site-wide

For $UploadDirQuota - can you provide some units and numbers? Is the specification in bytes or bits? What is the number for 100K? 1 Meg? 1 Gig? 1 Terabyte?

Units are in bytes.

$UploadDirQuota = 100*1024; # limit uploads to 100KiB $UploadDirQuota = 1000*1024; # limit uploads to 1000KiB $UploadDirQuota = 1024*1024; # limit uploads to 1MiB $UploadDirQuota = 25*1024*1024; # limit uploads to 25MiB $UploadDirQuota = 2*1024*1024*1024; # limit uploads to 2GiB

我可以上傳不使用unicode檔名,或者其他編碼之檔名的文件嗎?

可以,參見 $UploadNameChars

附件名單會被儲存在哪裡?

It is generated on the fly by the

    ? markup.

    我如何才能找到遺失的附件

    參見 Cookbook:Attachlist enhanced

    我要如何防止我上傳的圖片被盜連(hotlinking)?

    Cookbook:Prevent Hotlinking

    我設置config.php中文件上傳大小為8MB,但為何只能上傳小於2MB的文件?

    請檢查您的 php.ini 中 upload_max_filesize

    若您無法更動php.ini檔案,請直接改動server中的.htaccess檔案: