Item8906: why is INCLUDE ing and attachment dependent on the {INCLUDE}{AllowURLs} setting

the {INCLUDE}{AllowURLs} setting is documented to:

_Allow %INCLUDE of URLs. This is disabled by default, because it is possible to mount a denial-of-service (DoS) attack on a Foswiki site using INCLUDE and URLs. Only enable it if you are in an environment where a DoS attack is not a high risk. You may also need to configure the proxy settings ({PROXY}{HOST} and {PROXY}{PORT}) if your server is behind a firewall and you allow %INCLUDE of external webpages._

this seems like an odd thing when applied to local topic attachments - maybe we should change this, or add a %!QUERY{"'System.DocumentGraphics'/attachments[1].content.txt"}%

heck, in adding a TOM element to represent the contents of a topic, we instantly get to search them - even if only for text, for attachments that have a doc->txt conversion.

ok, so I should make this into a feature req.

-- SvenDowideit - 14 Apr 2010

Closed Item2407 as a duplicate of this, where CrawfordCurrie noted:

Agreed, it does.

However the code has to be careful to ensure that there is no way for the path to be abused e.g. with relative path specifiers.

Note also this isn't as simple as it seems. If viewfile is in use, you can't short-circuit the URL to fetch the file directly, because you might be violating access controls. Fetching the URL by a request also might be a bad idea - there may be a good reason URL fetches are disallowed (such as proxy issues).

Confirmed, as an enhancement.

-- CrawfordCurrie - 25 Jun 2010

-- PaulHarvey - 22 Feb 2012

Commenting is disabled while not logged in