restrict fetch.php's download abilities

This patch changes fetch.php ability to download external files. It now checks
for the returned MIME type and will only download images. For all other
MIME types a redirect is sent back to the browser. This reduces the risc of
being misused as open proxy.

Additionally the download facility is disabled completly by default by setting
the fetchsize option to 0. Users who want the feature need to overwrite the option
in their local.php.

Background: The ability to download external files is needed to resize external
images on the server side. When disabled, a redirect is sent to the browser which
will download the fullsize image and rescale it on the client side which is more
bandwidth and CPU intensive.

darcs-hash:20061017175329-7ad00-cd1b1bfa043a04540c51ca8380d28deaa14147d1.gz

1 files changed, 1 insertions, 1 deletions

diff --git a/conf/dokuwiki.php b/conf/dokuwiki.php
index 9403de176..f3fd8286a 100644
--- a/conf/dokuwiki.php
+++ b/conf/dokuwiki.php
@@ -80,7 +80,7 @@ $conf['compression'] = 'gz';             //compress old revisions: (0: off) ('gz
                                          //  bz2 generates smaller files, but needs more cpu-power
 $conf['cachetime']   = 60*60*24;         //maximum age for cachefile in seconds (defaults to a day)
 $conf['locktime']    = 15*60;            //maximum age for lockfiles (defaults to 15 minutes)
-$conf['fetchsize']   = 2*1024*1024;      //maximum size (bytes) fetch.php may download from extern
+$conf['fetchsize']   = 0;                //maximum size (bytes) fetch.php may download from extern, disabled by default
 $conf['notify']      = '';               //send change info to this email (leave blank for nobody)
 $conf['registernotify'] = '';            //send info about newly registered users to this email (leave blank for nobody)
 $conf['mailfrom']    = '';               //use this email when sending mails