Commit 5a506647 authored by Carsten  Rose's avatar Carsten Rose
Browse files

Manual.rst: Update to Manual to SIP encoding in `_download`.

parent 4a8835ee
...@@ -545,12 +545,10 @@ defining the `escape` modifier `m`. ...@@ -545,12 +545,10 @@ defining the `escape` modifier `m`.
Get Parameter Get Parameter
------------- -------------
GET parameter might contain urlencoded content (%xx). 'urldecode()' all GET parameter.
The string length of GET parameter is limited to SECURITY_GET_MAX_LENGTH chars (see `config.qfq.ini`_)
**QFQ security restriction**: **QFQ security restriction**:
* '%nn' in GET variables will always be decoded. It's not possible to transfer '%nn' itself. * GET parameter might contain urlencoded content (%xx). Therefore all GET parameter will be processed by 'urldecode()'.
As a result a text like '%nn' in GET variables will always be decoded. It's not possible to transfer '%nn' itself.
* GET variables are limited to SECURITY_GET_MAX_LENGTH chars - any violation will break QFQ. * GET variables are limited to SECURITY_GET_MAX_LENGTH chars - any violation will break QFQ.
Post Parameter Post Parameter
...@@ -586,8 +584,8 @@ A detected attack leads to a complete white (=empty) page. ...@@ -586,8 +584,8 @@ A detected attack leads to a complete white (=empty) page.
If SECURITY_SHOW_MESSAGE = true (`config.qfq.ini`_), a message is displayed. If SECURITY_SHOW_MESSAGE = true (`config.qfq.ini`_), a message is displayed.
SIP Client Parameter via SIP
--- ------------------------
Links with URL parameters, targeting to the local website, are typically SIP encoded. Instead of transferring the parameter Links with URL parameters, targeting to the local website, are typically SIP encoded. Instead of transferring the parameter
as part of the URL, only one uniqe GET parameter 's' is appended at the link. The parameter 's' is uniq (equal to a as part of the URL, only one uniqe GET parameter 's' is appended at the link. The parameter 's' is uniq (equal to a
...@@ -596,6 +594,20 @@ Two users might have the same value of parameter 's', but the content is complet ...@@ -596,6 +594,20 @@ Two users might have the same value of parameter 's', but the content is complet
Variables needed by Typo3 remains on the link and are not 'sip-encoded'. Variables needed by Typo3 remains on the link and are not 'sip-encoded'.
Secure direct fileaccess
------------------------
If the application uploads files, mostly it's not necessary and often a security issue, to offer a direct download of
the uploaded files. Best is to create a directory, e.g. `fileadmin/protected` and deny direct access via webbrowser to it.
E.g. for Apache set a htaccess rule: ::
<Directory /var/www/html/fileadmin/protected>
Require all denied
</Directory>
To offer download of those files, use the reserved columnname '_download':`download`_ or variants.
Store Store
===== =====
...@@ -3573,9 +3585,9 @@ By using the `_link` columnname: ...@@ -3573,9 +3585,9 @@ By using the `_link` columnname:
* the option `d:...` initiate creating the download link and optional specifies an export filename, * the option `d:...` initiate creating the download link and optional specifies an export filename,
* the optional `M:...` (Mode) specifies the export type (file, pdf, zip), * the optional `M:...` (Mode) specifies the export type (file, pdf, zip),
* setting `s:1` is mandatory for the download function, * setting `s:1` is mandatory for the download function,
* the alttext `a:...` specifies a message in the dowload popup. * the alttext `a:...` specifies a message in the download popup.
By using `_pdf`, `_Pdf`, `_file`, `_File`, `_zip`, `_Zip` as columnname the options `d`, `m` and `s` By using `_pdf`, `_Pdf`, `_file`, `_File`, `_zip`, `_Zip` as columnname, the options `d`, `m` and `s`
will be set by automatically. will be set by automatically.
All files will be read by PHP - therefore the directory might be protected against direct web access. This way is the All files will be read by PHP - therefore the directory might be protected against direct web access. This way is the
...@@ -3614,7 +3626,7 @@ Parameter and (element) sources ...@@ -3614,7 +3626,7 @@ Parameter and (element) sources
* In case of multiple element sources, only `pdf` or `zip` is supported. * In case of multiple element sources, only `pdf` or `zip` is supported.
* If `m:zip` is used together with `U:...` oder `u:..`, those HTML pages will be converted to PDF. Those files * If `m:zip` is used together with `U:...` oder `u:..`, those HTML pages will be converted to PDF. Those files
get generic filenames inside the archive. get generic filenames inside the archive.
* If not specified, the **default** depends on the number of specified element sources (=file or web page). * If not specified, the **default** 'Mode' depends on the number of specified element sources (=file or web page):
* If only one `file` is specifed, the default is `file`. * If only one `file` is specifed, the default is `file`.
* If there is a) a page defined or b) multiple elements, the default is `pdf`. * If there is a) a page defined or b) multiple elements, the default is `pdf`.
...@@ -3626,19 +3638,17 @@ Parameter and (element) sources ...@@ -3626,19 +3638,17 @@ Parameter and (element) sources
in a PDF or ZIP. in a PDF or ZIP.
* *urlParam*: `U:id=<t3 page>&<key 1>=<value 1>&<key 2>=<value 2>&...&<key n>=<value n>`. * *urlParam*: `U:id=<t3 page>&<key 1>=<value 1>&<key 2>=<value 2>&...&<key n>=<value n>`.
It's not possible to pass a valid SIP via `urlParam` to the target (wkhtmltopdf has no valid PHP session). Any QFQ internal parameter will be automatically converted to a SIP.
Also there are no FE_USER or FE_GROUP available.
* *url*: `u:<url>` - any URL, pointing to an internal or external destination. * *url*: `u:<url>` - any URL, pointing to an internal or external destination.
* *Options* for `urlParam` or `url`: * *Options* for `urlParam` or `url`:
* The 'HTML to PDF' will be done via `wkhtmltopdf`. * The 'HTML to PDF' will be done via `wkhtmltopdf`.
* All possible options, suitable for `wkhtmltopdf`, can be submitted in the `u:...` or `U:...` element source. * All possible options, suitable for `wkhtmltopdf`, can be submitted in the `u:...` or `U:...` element source.
Check `wkhtmltopdf.txt <https://wkhtmltopdf.org/usage/wkhtmltopdf.txt>`_ for all possible options. Be aware that key/value tuple in the Check `wkhtmltopdf.txt <https://wkhtmltopdf.org/usage/wkhtmltopdf.txt>`_ for all possible options. Be aware that
documentation is separated by a space, but to respect the key/value notation of URLs, the key/value tuple in key/value tuple in the documentation is separated by a space, but to respect the QFQ key/value notation of URLs,
`u:...` or `U:...` has to be separated by '='. See last example below. the key/value tuple in `u:...` or `U:...` has to be separated by '='. Please see last example below.
Most of the other Link-Class attributes can be used to customize the link as well. Most of the other Link-Class attributes can be used to customize the link as well.
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment