Item8906: why is INCLUDE ing and attachment dependent on the {INCLUDE}{AllowURLs} setting

pencil
Priority: Enhancement
Current State: Proposal Required
Released In: n/a
Target Release: n/a
Applies To: Engine
Component: INCLUDE, TopicAttachment
Branches:
Reported By: SvenDowideit
Waiting For:
Last Change By: CrawfordCurrie
the {INCLUDE}{AllowURLs} setting is documented to:

_Allow %INCLUDE of URLs. This is disabled by default, because it is possible to mount a denial-of-service (DoS) attack on a Foswiki site using INCLUDE and URLs. Only enable it if you are in an environment where a DoS attack is not a high risk. You may also need to configure the proxy settings ({PROXY}{HOST} and {PROXY}{PORT}) if your server is behind a firewall and you allow %INCLUDE of external webpages._

this seems like an odd thing when applied to local topic attachments - maybe we should change this, or add a %!QUERY{"'System.DocumentGraphics'/attachments[1].content.txt"}%

heck, in adding a TOM element to represent the contents of a topic, we instantly get to search them - even if only for text, for attachments that have a doc->txt conversion.

ok, so I should make this into a feature req.

-- SvenDowideit - 14 Apr 2010

Closed Item2407 as a duplicate of this, where CrawfordCurrie noted:
Agreed, it does.

However the code has to be careful to ensure that there is no way for the path to be abused e.g. with relative path specifiers.

Note also this isn't as simple as it seems. If viewfile is in use, you can't short-circuit the URL to fetch the file directly, because you might be violating access controls. Fetching the URL by a request also might be a bad idea - there may be a good reason URL fetches are disallowed (such as proxy issues).

Confirmed, as an enhancement.

-- CrawfordCurrie - 25 Jun 2010

-- PaulHarvey - 22 Feb 2012
 

ItemTemplate edit

Summary why is INCLUDE ing and attachment dependent on the {INCLUDE}{AllowURLs} setting
ReportedBy SvenDowideit
Codebase
SVN Range
AppliesTo Engine
Component INCLUDE, TopicAttachment
Priority Enhancement
CurrentState Proposal Required
WaitingFor
Checkins
TargetRelease n/a
ReleasedIn n/a
CheckinsOnBranches
trunkCheckins
masterCheckins
ItemBranchCheckins
Release01x01Checkins
Topic revision: r4 - 20 Jun 2015, CrawfordCurrie
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy