[Moin-user] Attachments

Tue Aug 16 12:57:11 EDT 2005

On Tue, 2005-08-16 at 14:44 -0500, Kenneth McDonald wrote:
> I noticed this statement on one of the Configuration help pages:
> -----------
> 
> The AttachFile action enables a page to have multiple attached files.
> Since file uploads could be abused for DoS (Denial of Service)
> attacks, AttachFile is an action that may be enabled by the wiki
> administrator. To do this, add "allowed_actions = ['AttachFile']" to
> your configuration file.
> 
> This is all you usually need to do for configuration.
> 
> 
> 
> 
>  Note that we plan to remove that option in 1.4. Because of that and
> the security problems noted below, we do not recommend that option.
> 
> ------------
> 
> Is this really true--attachments in MoinMoin are going away? I can
> understand some security concerns, and perhaps disabling inlining of
> non-image attachments (though even there, couldn't the user just type
> in the possibly dangerous text?), but for us (and many others, I
> imagine) attachments are critical. We need to allow our users to view
> images and download things like PDFs and scripts for our product, and
> they need to be able to upload images (we're a graphics company) and
> their own scripts for other users. They _don't_ need to be able to
> inline anything other than images, so perhaps that's a restriction
> that could be made?
> 
> 
> If someone could clarify this situation as soon as possible, I'd
> greatly appreciate it. We've put enough time into MoinMoin that it
> would already be quite difficult to abandon it, but if this element of
> it is going away, we need to look at a different solution before we
> really get committed to it.

Same here.  I like the attachment feature.  What is so in-secure about
it.  I've successfully (at least I think I have) ACL'ed it to a special
group.  Am I missing some security concerns other than approved users
uploading huge files that suck bandwidth?

-Jim P.