![/!\](/static/moniker/img/alert.png "/!\")
注意,这个配置对于文件名含有非Ascii字符的附件不适用。 - 注意,在2.0中这个选项将被移除。因为其潜在的安全问题,我们建议不使用这个选项。
第一步是让Apache知道有一个Alias目录,可以访问其中的文件。查看安装MoinMoin过程中修改的httpd.conf(或者commonhttpd.conf)文件,找到与下面类似的Alias语句:
ScriptAlias /mywiki ".../mywiki/moin.cgi"
新建一个与上面类似的Alias语句, 将 /mywiki 替换为 /mywikiattach/ ,将 moin.cgi 替换为 data/pages/。
Alias /mywikiattach/ ".../mywiki/data/pages/"
请注意这两个语句尾部的 '/' 符号,配置语句必须如上所示。修改配置之后,必须重新启动Apache,改动才能生效。
第二步是让MoinMoin知道获取附件的操作由Apache完成。你需要在 .../mywiki/wikiconfig.py 文件中增加attachments选项. 该选项是带有两个值的字典:
attachments = {
'dir': '.../mywiki/data/pages',
'url': '/mywikiattach',
}上传文件的操作仍然由MoinMoin完成。dir告诉MoinMoin附件的存储位置,注意它的路径与Apache中新增加的Alias语句中的路径是一样的,但是尾部没有"/"。url告诉MoinMoin如何获取附件,其和Alias语句的中路径一致,但是尾部也没有"/"。
您的附件现在通过Apache Your attached files are now directly servable by Apache. However if you also have PHP (or ASP or any other server parsed language) installed then an attacker can upload a PHP script an then run it to exploit other local weaknesses.
For example, you can disable PHP for the appropriate directory (note that it's difficult to include instructions for disabling all server parsed languages).
<Directory .../mywiki/data/pages/>
RemoveType .php .php3 .php4 .phtml
</Directory> This only disables php stuff - you have to add everything else on your own!
After you have completed the configuration changes, test by uploading an attachment for WikiSandBox. Then modify the WikiSandBox page to display the uploaded image or download the file. If there were existing attachments before this change, verify the old attachments are still available. Finally, review the Apache access.log file to verify you have a log entry showing the expected file access:
"...GET /mywikiattach/WikiSandBox/attachments/mypix.jpg HTTP/1.1...".