Oliver Betz writes:
I suggest to preconfigure $UploadBlacklist in sample-config.php, otherwise many users will not care about.
The sample-config.php file is meant to be read by newcomer admins so there is a rule that it should be as simple as possible. For example, we don't use $FarmD in the paths because it will make it more complex, and $FarmD is only required for a WikiFarm which is usually done by more advanced admins.
By default, PmWiki doesn't even allow uploads so there is no danger with multiple extensions. Moreover, when the uploads are enabled, there is a default password, and normally only trusted users can upload. So I am not sure if it is better to:
1. keep sample-config.php simple and clean, but without a critical information for some (not all) servers, or
2. have it more crowded and more complex, with an information which is not important for many (most) servers.
This information, critical for some servers, should be documented at UploadsAdmin with the suggested solutions - .htaccess, $UploadBlacklist, $EnableDirectDownload - in or near the first section about how to enable uploads. Should it be in sample-config.php? I don't know.
In addition to the already mentioned '.php', '.pl', '.cgi' I would include at least: .py, .htm, .shtm, .phtm, .pcgi, .asp, .js, .jsp, .sh
The files .htm and .js are normally not executed by the server, and are accepted as allowed uploads. I have added the others in the documentation.
If I understand the code correctly, a ".php" entry prevents also .php4 etc., correct?
Yes.
I think it would be a good idea to include also a warning in sample-config.php about disabling script execution by .htaccess if $EnableDirectDownload is set.
$EnableDirectDownload is always set, unless an admin sets it to 0. Also, we don't have a single .htaccess working on all servers so once again, sample- config.php is probably not the best place to document this.
I may be wrong though. Petko _______________________________________________ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users
