Timwi schrieb:
Hi Magnus,
Or we could use a "mixed" solution:
- I upload my file to a publically accessible file (ftp or http, no
matter), if it's not already online
- I call "Special:Upload?source=web"
- The upload <input> is replaced with a simple text input row for the URL
- Instead of using the PHP upload mechanism, MediaWiki just copies the
file through ftp/http
Why are you suggesting an extra different upload page?
I don't.
Why not just add a radio button right there on the Upload page?
I have already implemented it. It is the same upload page, just with the textbox instead of the <input type=file>. It uses a little extra code in SpecialUpload.php, is all.
However, as Brion Vibber already mentioned, there are significant security issues with this. I have a suggestion that might solve them; if I have overlooked a security problem that this doesn't solve, please let me know.
On concerns by Brion and Tim, I've rewritten the copy-from-URL part using CURL, which makes the function less susceptible for malicious/broken sources.
My suggestion is thus:
- The upload page displays (if the "upload from web" option is selected) a randomly-generated token. This token is generated only once for every user, and then stays the same.
- When uploading a file, the user needs to submit two URLs:
- One that points to a text file containing the above token
- One to the actual file he wants to upload
- The upload is allowed only if the two files are on the same domain (or in the same directory, depending on how draconian you want it).
This isn't really a security feature, as an Evil User (tm) can still upload any file (s)he wants.
It could, however, be a measure against newbies trying to copy random files from the web. They can do that, however, right now - thy only have to save the file locally, as long as it's not too large. So, it would prevent newbies with no own web space from uploading large files. Is that really worth the bother?
If activated, my implementation by default only grants admins the right to upload large files. So, to solve my original problem, I'd have to find a commons admin, and write on his/her talk page to please upload the files I stored at (URL), maybe give the file description/license there or insert it myself once it's up. As long as the overall number of large files to upload is low, that should work just fine.
Or I'll have to run for admin myself. I have a feeling I might be accepted ;-)
Magnus