[Moin-user] ACL for attachment

Thomas Waldmann tw at waldmann-edv.de
Fri Jul 16 08:22:20 EDT 2004


> Considering AttachFile is disabled by default, and considered a security disk 

Allowing attaching files is a quite small risk as long as you don't 
serve the attached files directly by your web server and allow executing 
cgi scripts (attached by a malicous attacker).

As long as you run the standard moin configuration + allowing AttachFile 
action, the worst thing that can happen is that somebody uploads many 
and/or big files. Not a big problem usually, everybody can delete them 
again, so soft security applies.

> if enabled for public, isnt there an acl statement for attach privileges?

They are currently using the same read/write/delete ACLs as the page 
they are attached to.

If we would find enough reason to handle them separately, we could do 
it. But I currently see no reason, why we should do that.







More information about the Moin-user mailing list