Commit 5a506647 authored by Carsten  Rose's avatar Carsten Rose
Browse files

Manual.rst: Update to Manual to SIP encoding in `_download`.

parent 4a8835ee
......@@ -545,12 +545,10 @@ defining the `escape` modifier `m`.
Get Parameter
-------------
GET parameter might contain urlencoded content (%xx). 'urldecode()' all GET parameter.
The string length of GET parameter is limited to SECURITY_GET_MAX_LENGTH chars (see `config.qfq.ini`_)
**QFQ security restriction**:
* '%nn' in GET variables will always be decoded. It's not possible to transfer '%nn' itself.
* GET parameter might contain urlencoded content (%xx). Therefore all GET parameter will be processed by 'urldecode()'.
As a result a text like '%nn' in GET variables will always be decoded. It's not possible to transfer '%nn' itself.
* GET variables are limited to SECURITY_GET_MAX_LENGTH chars - any violation will break QFQ.
Post Parameter
......@@ -586,8 +584,8 @@ A detected attack leads to a complete white (=empty) page.
If SECURITY_SHOW_MESSAGE = true (`config.qfq.ini`_), a message is displayed.
SIP
---
Client Parameter via SIP
------------------------
Links with URL parameters, targeting to the local website, are typically SIP encoded. Instead of transferring the parameter
as part of the URL, only one uniqe GET parameter 's' is appended at the link. The parameter 's' is uniq (equal to a
......@@ -596,6 +594,20 @@ Two users might have the same value of parameter 's', but the content is complet
Variables needed by Typo3 remains on the link and are not 'sip-encoded'.
Secure direct fileaccess
------------------------
If the application uploads files, mostly it's not necessary and often a security issue, to offer a direct download of
the uploaded files. Best is to create a directory, e.g. `fileadmin/protected` and deny direct access via webbrowser to it.
E.g. for Apache set a htaccess rule: ::
<Directory /var/www/html/fileadmin/protected>
Require all denied
</Directory>
To offer download of those files, use the reserved columnname '_download':`download`_ or variants.
Store
=====
......@@ -3573,9 +3585,9 @@ By using the `_link` columnname:
* the option `d:...` initiate creating the download link and optional specifies an export filename,
* the optional `M:...` (Mode) specifies the export type (file, pdf, zip),
* setting `s:1` is mandatory for the download function,
* the alttext `a:...` specifies a message in the dowload popup.
* the alttext `a:...` specifies a message in the download popup.
By using `_pdf`, `_Pdf`, `_file`, `_File`, `_zip`, `_Zip` as columnname the options `d`, `m` and `s`
By using `_pdf`, `_Pdf`, `_file`, `_File`, `_zip`, `_Zip` as columnname, the options `d`, `m` and `s`
will be set by automatically.
All files will be read by PHP - therefore the directory might be protected against direct web access. This way is the
......@@ -3614,7 +3626,7 @@ Parameter and (element) sources
* In case of multiple element sources, only `pdf` or `zip` is supported.
* If `m:zip` is used together with `U:...` oder `u:..`, those HTML pages will be converted to PDF. Those files
get generic filenames inside the archive.
* If not specified, the **default** depends on the number of specified element sources (=file or web page).
* If not specified, the **default** 'Mode' depends on the number of specified element sources (=file or web page):
* If only one `file` is specifed, the default is `file`.
* If there is a) a page defined or b) multiple elements, the default is `pdf`.
......@@ -3626,19 +3638,17 @@ Parameter and (element) sources
in a PDF or ZIP.
* *urlParam*: `U:id=<t3 page>&<key 1>=<value 1>&<key 2>=<value 2>&...&<key n>=<value n>`.
It's not possible to pass a valid SIP via `urlParam` to the target (wkhtmltopdf has no valid PHP session).
Also there are no FE_USER or FE_GROUP available.
Any QFQ internal parameter will be automatically converted to a SIP.
* *url*: `u:<url>` - any URL, pointing to an internal or external destination.
* *Options* for `urlParam` or `url`:
* The 'HTML to PDF' will be done via `wkhtmltopdf`.
* All possible options, suitable for `wkhtmltopdf`, can be submitted in the `u:...` or `U:...` element source.
Check `wkhtmltopdf.txt <https://wkhtmltopdf.org/usage/wkhtmltopdf.txt>`_ for all possible options. Be aware that key/value tuple in the
documentation is separated by a space, but to respect the key/value notation of URLs, the key/value tuple in
`u:...` or `U:...` has to be separated by '='. See last example below.
Check `wkhtmltopdf.txt <https://wkhtmltopdf.org/usage/wkhtmltopdf.txt>`_ for all possible options. Be aware that
key/value tuple in the documentation is separated by a space, but to respect the QFQ key/value notation of URLs,
the key/value tuple in `u:...` or `U:...` has to be separated by '='. Please see last example below.
Most of the other Link-Class attributes can be used to customize the link as well.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment