| Module Info
| Add a review of Kwiki-Attachments
This is a very nice and useful Kwiki plug-in. However, you should consider that, just used out of the box, it may present a significant security risk.
The problem is that users can upload any type of file. That means that, for example, if you are using a typical Apache server with PHP, users will be able to upload arbitrary PHP programs that get executed by your server. You may be able to tweak the Apache configuration to work around this.
Another solution is that the plugin has an *undocumented* configuration option called "attachments_skip". That's a step in the right direction, although having an "attachments_allow" would be much better. You can add this option to config.yaml to provide a regular expression to recognize the attachments that should be skipped. If you want to allow only certain kinds of attachments, you can use a negative lookahead in the regular expression to negate it. Something like this should allow only PNG, JPG, and GIF files:
It works and it works rather well. I especially like that attachments are attached to a specific page rather than having a huge directory with all of the attachments.
Sometimes, the filename isn't very descriptive when we upload a file, I'd like to be able to add and see a Description alongside the file name if we choosed to add it. Also, sometimes I don't want the attachment list to show on the page, I just want to put the link someplace in the page manually. Maybe a checkbox to include or not include an entry in attachments.