File Upload
Contents
PHP
In general, whenever you want to have a website allow users to upload files, you first want to check and set the web server to ensure that it's allowing file uploads, and that the constraints in the server match your application settings.
For PHP, you can check on the value of the post_max_size
setting to be sure that the allowed size of an HTTP POST is congruent with your goals. In fact, the PHP Security Consortium recommends that you set a limit for post_max_size so that attackers are not permitted to "post bomb" your webserver.
# find all the php.ini files on your system and look at what they say
locate php.ini |xargs grep -i post_max
# find the php.ini files that are used in the default location for (K)ubuntu/Debian
grep -ri post_max /etc/php5/
Mediawiki
Uploading Files
To upload a file, you simply click on the navigation link in the 'toolbox' to "upload file". This link brings you to the upload form (which is a special page in the wiki). Instructions are provided in the form, and it's as straightforward as selecting a file from your local system that you wish to upload.
Configuration
In the mediawiki software, uploads are controlled by several settings in the 'LocalSettings.php' file. The documentation refers to 'images' however all types of files may be uploaded depending on how you configure your installation.
## To enable image uploads, make sure the 'images' directory
## is writable, then set this to true:
$wgEnableUploads = true;
/* Adding unlimited upload support */
$wgStrictFileExtensions = false;
$wgMimeDetectorCommand= "file -bi";
$wgVerifyMimeType = false;
Allowed File Types
This wiki does not allow users to upload any Microsoft file formats. In general, only open, standards-based file formats like those generated by OpenOffice are allowed. |
The system administrator can define what file types are allowed to be uploaded. In an internal environment, you can be pretty lax about what is allowed. However, in a publicly accessible system, there are a number of issues with uploading certain content since it is then going to be either re-displayed, executed in some fashion by the system, or made available to other users.
Here is a representative list that includes all the file types for OpenOffice (including templates), ogg and mp3 plus normal image file types, a few text and XML types.
$wgFileExtensions = array();
$wgFileExtensions[] = gif;
$wgFileExtensions[] = ico;
$wgFileExtensions[] = jpeg;
$wgFileExtensions[] = jpg;
$wgFileExtensions[] = mp3;
$wgFileExtensions[] = odb;
$wgFileExtensions[] = odf;
$wgFileExtensions[] = odg;
$wgFileExtensions[] = odm;
$wgFileExtensions[] = odp;
$wgFileExtensions[] = ods;
$wgFileExtensions[] = odt;
$wgFileExtensions[] = ogg;
$wgFileExtensions[] = otg;
$wgFileExtensions[] = oth;
$wgFileExtensions[] = ots;
$wgFileExtensions[] = ott;
$wgFileExtensions[] = pdf;
$wgFileExtensions[] = png;
$wgFileExtensions[] = stc;
$wgFileExtensions[] = std;
$wgFileExtensions[] = sti;
$wgFileExtensions[] = stw;
$wgFileExtensions[] = swx;
$wgFileExtensions[] = sxc;
$wgFileExtensions[] = sxg;
$wgFileExtensions[] = sxi;
$wgFileExtensions[] = sxm;
$wgFileExtensions[] = txt;
$wgFileExtensions[] = xml;
$wgFileExtensions[] = xsd;
$wgFileExtensions[] = xsl;
$wgFileExtensions[] = xslt;
Technical Resources
Handling file uploads is covered in the PHP manual. Note the 'PUT' support. The Amaya web authoring tool from the W3C uses PUT for uploading. HTTP PUT is distinct from regular POST file upload processing.