#3 Attachments possible even when off in config_default.asp

[sEi]

Attachments possible even when off in
config_default.asp

This is a security risk!

How to reproduce bug:
In config_default.asp set cAllowAttachments = 0

Put this token on a page in the wiki:
@attachmentthis

When page is displayed you have a link that leads to
the attachment page. (a=attach)

And its posible for the user to upload a file 'to the
page'

---

Temporary fix:
in config_default.asp, OPENWIKI_UPLOADDIR put a
invalid path.

Then the user cannot upload and will get an error
when trying.

[sEi]

Logged In: YES
user_id=1090859

This bug have got the highes priority (9)

Because its a security risk!

[sEi]

Logged In: YES
user_id=1090859

The optimal solution should make it possible for a
readonly wiki to only allow attachments for the user who
knows the password. ATM if readonly and attachments
allowed - then anyone can attach!

/sEi

[chrisg-uk]

Logged In: YES
user_id=1403007

I'll take this one on - I do not have permission to assign
it.

[Nobody/Anonymous]

Logged In: NO

An alternate fix, because I've found that the 20060322 version is non-responsive to the above fix, you can edit the owconfig_default.asp file to set:

OPENWIKI_MAXUPLOADSIZE = 0

This is what I've implemented and works fine.