Timwi schrieb:
Hi Magnus,
Or we could use a "mixed" solution:
* I upload my file to a publically accessible file (ftp or http, no
matter), if it's not already online
* I call "Special:Upload?source=web"
* The upload <input> is replaced with a simple text input row for the URL
* Instead of using the PHP upload mechanism, MediaWiki just copies the
file through ftp/http
Why are you suggesting an extra different upload page?
I don't.
Why not just add
a radio button right there on the Upload page?
I have already implemented it. It is the same upload page, just with the
textbox instead of the <input type=file>. It uses a little extra code in
SpecialUpload.php, is all.
However, as Brion Vibber already mentioned, there are
significant
security issues with this. I have a suggestion that might solve them; if
I have overlooked a security problem that this doesn't solve, please let
me know.
On concerns by Brion and Tim, I've rewritten the copy-from-URL part
using CURL, which makes the function less susceptible for
malicious/broken sources.
My suggestion is thus:
* The upload page displays (if the "upload from web" option is
selected) a randomly-generated token. This token is generated only
once for every user, and then stays the same.
* When uploading a file, the user needs to submit two URLs:
* One that points to a text file containing the above token
* One to the actual file he wants to upload
* The upload is allowed only if the two files are on the same domain
(or in the same directory, depending on how draconian you want it).
This isn't really a security feature, as an Evil User (tm) can still
upload any file (s)he wants.
It could, however, be a measure against newbies trying to copy random
files from the web. They can do that, however, right now - thy only have
to save the file locally, as long as it's not too large. So, it would
prevent newbies with no own web space from uploading large files. Is
that really worth the bother?
If activated, my implementation by default only grants admins the right
to upload large files. So, to solve my original problem, I'd have to
find a commons admin, and write on his/her talk page to please upload
the files I stored at (URL), maybe give the file description/license
there or insert it myself once it's up. As long as the overall number of
large files to upload is low, that should work just fine.
Or I'll have to run for admin myself. I have a feeling I might be
accepted ;-)
Magnus