[Moin-user] ACL for attachment
Thomas Waldmann
tw at waldmann-edv.de
Fri Jul 16 08:22:20 EDT 2004
> Considering AttachFile is disabled by default, and considered a security disk
Allowing attaching files is a quite small risk as long as you don't
serve the attached files directly by your web server and allow executing
cgi scripts (attached by a malicous attacker).
As long as you run the standard moin configuration + allowing AttachFile
action, the worst thing that can happen is that somebody uploads many
and/or big files. Not a big problem usually, everybody can delete them
again, so soft security applies.
> if enabled for public, isnt there an acl statement for attach privileges?
They are currently using the same read/write/delete ACLs as the page
they are attached to.
If we would find enough reason to handle them separately, we could do
it. But I currently see no reason, why we should do that.
More information about the Moin-user
mailing list