From 0a37c45f32b6a0cf92eb046deabf933fb48ac197 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 30 Jun 2008 22:58:33 -0400 Subject: basic attachment plugin, unfinished Currently includes UI, and a few tests of the attachment, as well as the framework to extend pagespecs to test attachments. Does not actually save the file yet. --- doc/plugins/attachment.mdwn | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 doc/plugins/attachment.mdwn (limited to 'doc/plugins/attachment.mdwn') diff --git a/doc/plugins/attachment.mdwn b/doc/plugins/attachment.mdwn new file mode 100644 index 000000000..a03865987 --- /dev/null +++ b/doc/plugins/attachment.mdwn @@ -0,0 +1,43 @@ +[[template id=plugin name=conditional core=1 author="[[Joey]]"]] +[[tag type/useful]] + +This plugin allows files to be uploaded to the wiki over the web. + +For each page `foo`, files in the subdirectory `foo/` are treated as +attachments of that page. Attachments can be uploaded and managed as +part of the interface for editing a page. + +Warning: Do not enable this plugin on publically editable wikis, unless you +take care to lock down the types and sizes of files that can be uploaded. +Bear in mind that if you let anyone upload a particular kind of file +("*.mp3" files, say), then someone can abuse your wiki in at least three ways: + +1. By uploading many mp3 files, wasting your disk space. +2. By uploading mp3 files that attempt to exploit security holes + in web browsers or other players. +3. By uploading files that claim to be mp3 files, but are really some + other kind of file. Some web browsers may display a `foo.mp3` that + contains html as a web page; including running any malicious javascript + embedded in that page. + +To provide a way to combat these abuses, the wiki admin can specify a +[[ikiwiki/PageSpec]] on their preferences page, to control what types of +attachments can be uploaded. The regular [[ikiwiki/PageSpec]] syntax is +expanded with additional tests. + +For example, to limit arbitrary files to 50 kilobtes, but allow +larger mp3 files to be uploaded, a test like this could be used: + + (*.mp3 and maxsize(15mb)) or (* and maxsize(50kb)) + +The following additional tests are available: + +* maxsize(size) + + Tests whether the attachment is no larger than the specified size. + The size defaults to being in bytes, but "kb", "mb", "gb" etc can be + used to specify the units. + +* minsize(size) + + Tests whether the attachment is no smaller than the specified size. -- cgit v1.2.3 From b01ee9b3b33daa8d305017aa914913f3dac20ce5 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 30 Jun 2008 23:17:01 -0400 Subject: add an ispage limit --- IkiWiki/Plugin/attachment.pm | 33 ++++++++++++++++++++++----------- doc/plugins/attachment.mdwn | 12 +++++++++++- 2 files changed, 33 insertions(+), 12 deletions(-) (limited to 'doc/plugins/attachment.mdwn') diff --git a/IkiWiki/Plugin/attachment.pm b/IkiWiki/Plugin/attachment.pm index 48a1c58b4..186f3ea21 100644 --- a/IkiWiki/Plugin/attachment.pm +++ b/IkiWiki/Plugin/attachment.pm @@ -8,7 +8,7 @@ use CGI; $CGI::DISABLE_UPLOADS=0; # TODO move to admin prefs -$config{valid_attachments}="(*.mp3 and maxsize(15mb)) or (* and maxsize(50kb))"; +$config{valid_attachments}="(*.mp3 and maxsize(15mb)) or (!ispage() and maxsize(50kb))"; sub import { #{{{ hook(type => "formbuilder_setup", id => "attachment", call => \&formbuilder_setup); @@ -48,12 +48,12 @@ sub formbuilder (@) { #{{{ if (IkiWiki::file_pruned($filename, $config{srcdir})) { error(gettext("bad attachment filename")); } - + # Use a pagespec to test that the attachment is valid. if (exists $config{valid_attachments} && length $config{valid_attachments}) { my $result=pagespec_match($filename, $config{valid_attachments}, - tempfile => $tempfile); + file => $tempfile); if (! $result) { error(gettext("attachment rejected")." ($result)"); } @@ -101,15 +101,15 @@ sub match_maxsize ($$;@) { #{{{ } my %params=@_; - if (! exists $params{tempfile}) { + if (! exists $params{file}) { return IkiWiki::FailReason->new("no tempfile specified"); } - if (-s $params{tempfile} > $maxsize) { - return IkiWiki::FailReason->new("attachment too large"); + if (-s $params{file} > $maxsize) { + return IkiWiki::FailReason->new("file too large"); } else { - return IkiWiki::SuccessReason->new("attachment size ok"); + return IkiWiki::SuccessReason->new("file not too large"); } } #}}} @@ -121,15 +121,26 @@ sub match_minsize ($$;@) { #{{{ } my %params=@_; - if (! exists $params{tempfile}) { + if (! exists $params{file}) { return IkiWiki::FailReason->new("no tempfile specified"); } - if (-s $params{tempfile} < $minsize) { - return IkiWiki::FailReason->new("attachment too small"); + if (-s $params{file} < $minsize) { + return IkiWiki::FailReason->new("file too small"); + } + else { + return IkiWiki::SuccessReason->new("file not too small"); + } +} #}}} + +sub match_ispage ($$;@) { #{{{ + my $filename=shift; + + if (IkiWiki::pagetype($filename)) { + return IkiWiki::SuccessReason->new("file is a wiki page"); } else { - return IkiWiki::SuccessReason->new("attachment size ok"); + return IkiWiki::FailReason->new("file is not a wiki page"); } } #}}} diff --git a/doc/plugins/attachment.mdwn b/doc/plugins/attachment.mdwn index a03865987..019d1c9e4 100644 --- a/doc/plugins/attachment.mdwn +++ b/doc/plugins/attachment.mdwn @@ -28,7 +28,7 @@ expanded with additional tests. For example, to limit arbitrary files to 50 kilobtes, but allow larger mp3 files to be uploaded, a test like this could be used: - (*.mp3 and maxsize(15mb)) or (* and maxsize(50kb)) + (*.mp3 and maxsize(15mb)) or (!ispage() and maxsize(50kb)) The following additional tests are available: @@ -41,3 +41,13 @@ The following additional tests are available: * minsize(size) Tests whether the attachment is no smaller than the specified size. + +* ispage() + + Tests whether the attachment will be treated by ikiwiki as a wiki page. + (Ie, if it has an extension of ".mdwn", or of any other enabled page + format). + + So, if you don't want to allow wiki pages to be uploaded as attachments, + use `!ispage()` ; if you only want to allow wiki pages to be uploaded + as attachments, use `ispage()`. -- cgit v1.2.3 From ba707cdcd997c09f1fe0efc2addd03f8553303ea Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 2 Jul 2008 16:33:35 -0400 Subject: add user and ip support to attachment pagespecs --- IkiWiki/Plugin/attachment.pm | 39 ++++++++++++++++++++++++++++++++++++++- doc/plugins/attachment.mdwn | 21 ++++++++++++++++----- 2 files changed, 54 insertions(+), 6 deletions(-) (limited to 'doc/plugins/attachment.mdwn') diff --git a/IkiWiki/Plugin/attachment.pm b/IkiWiki/Plugin/attachment.pm index c1d1d1c60..a5c42d638 100644 --- a/IkiWiki/Plugin/attachment.pm +++ b/IkiWiki/Plugin/attachment.pm @@ -101,7 +101,10 @@ sub formbuilder (@) { #{{{ length $allowed_attachments) { $allowed=pagespec_match($filename, $allowed_attachments, - file => $tempfile); + file => $tempfile, + user => $session->param("name"), + ip => $ENV{REMOTE_ADDR}, + ); last if $allowed; } } @@ -306,4 +309,38 @@ sub match_ispage ($$;@) { #{{{ } } #}}} +sub match_user ($$;@) { #{{{ + shift; + my $user=shift; + my %params=@_; + + if (! exists $params{user}) { + return IkiWiki::FailReason->new("no user specified"); + } + + if (defined $params{user} && lc $params{user} eq lc $user) { + return IkiWiki::SuccessReason->new("user is $user"); + } + else { + return IkiWiki::FailReason->new("user is $params{user}, not $user"); + } +} #}}} + +sub match_ip ($$;@) { #{{{ + shift; + my $ip=shift; + my %params=@_; + + if (! exists $params{ip}) { + return IkiWiki::FailReason->new("no IP specified"); + } + + if (defined $params{ip} && lc $params{ip} eq lc $ip) { + return IkiWiki::SuccessReason->new("IP is $ip"); + } + else { + return IkiWiki::FailReason->new("IP is $params{ip}, not $ip"); + } +} #}}} + 1 diff --git a/doc/plugins/attachment.mdwn b/doc/plugins/attachment.mdwn index 019d1c9e4..184f5b5df 100644 --- a/doc/plugins/attachment.mdwn +++ b/doc/plugins/attachment.mdwn @@ -22,13 +22,14 @@ Bear in mind that if you let anyone upload a particular kind of file To provide a way to combat these abuses, the wiki admin can specify a [[ikiwiki/PageSpec]] on their preferences page, to control what types of -attachments can be uploaded. The regular [[ikiwiki/PageSpec]] syntax is -expanded with additional tests. +attachments can be uploaded, and by whom. The regular [[ikiwiki/PageSpec]] +syntax is expanded with additional tests. -For example, to limit arbitrary files to 50 kilobtes, but allow -larger mp3 files to be uploaded, a test like this could be used: +For example, to limit arbitrary files to 50 kilobytes, but allow +larger mp3 files to be uploaded by joey, a test like this could be +used: - (*.mp3 and maxsize(15mb)) or (!ispage() and maxsize(50kb)) + (user(joey) and *.mp3 and maxsize(15mb)) or (!ispage() and maxsize(50kb)) The following additional tests are available: @@ -51,3 +52,13 @@ The following additional tests are available: So, if you don't want to allow wiki pages to be uploaded as attachments, use `!ispage()` ; if you only want to allow wiki pages to be uploaded as attachments, use `ispage()`. + +* user(username) + + Tests whether the attachment is being uploaded by a user with the + specified username. If openid is enabled, an openid can also be put here. + +* ip(address) + + Tests whether the attacment is being uploaded from the specified IP + address. -- cgit v1.2.3