| Name | Attachment Filter |
|---|---|
| Version | 1.1 |
| Product Versions | Confluence 2.2 - 2.3.x |
| Author(s) | Laura Kolker, Brendan Patterson |
| Homepage | http://confluence.atlassian.com/display/CONFEXT/Attachment+Filter |
| Price | Free |
| License | Apache |
| JavaDocs | https://svn.atlassian.com/svn/public/contrib/confluence/attachment-filter/doc |
| IssueTracking | |
| Download Plugin | For use with 2.2: AttachmentFilter.tar, For use with 2.3: plugins-attachment-filter-1.1.tar |
| Download Source | https://svn.atlassian.com/svn/public/contrib/confluence/attachment-filter/src |
Description/Features
The Attachment Filter Plugin allows administrators to control which file types users may upload.
Installation
- Download the AttachmentFilter.tar.
- Untar it. (tar xvf AttachmentFilter.tar)
- The tar contains 2 files of interest:
- The plugin jar (plugins-attachfilter.jar)
- An updated Atlassian class (AttachFileHelper.class) - Note: If you're feeling nervous about this, backup the Atlassian class somewhere before continuing)
- Copy plugins-attachfilter.jar to [Confluence-DIR]/confluence/WEB-INF/lib/.
- Copy AttachFileHelper.class to [CONFLUENCE-DIR]/confluence/WEB-INF/classes/com/atlassian/confluence/util/.
- Restart Confluence
 | All attachments will be restricted All attachments will be filtered until you configure which ones you allow. |
 | Not Upload Friendly The attachment filter plugin will not work correctly, if you attempt to install it by uploading it with the Plugins Administrative console. The plugin must be installed in WEB-INF/lib and Confluence must be restarted in order for the plugin to work correctly. |
Configuration
After installation, all file uploads will be restricted! To allow filetypes:
1. Login as an administrator.
2. Go to the Administration Console.
3. Click the Customize Attachment Filter link (in the Configuration panel)
4. Add extensions by typing a comma seperated list of extensions into the textfield, and clicking the '+' button.
5. See the Help Tips panel on that page for further instructions.
Screenshots
Screenshots |
|
|---|---|
|
|
|
Customization Screen Shot
|
Filtering Screen Shot
|
Future Improvements
Advanced Filetype Checking
This currently hasn't been implemented yet, although the UI for the Configuration page already has the stubs setup for it.
Currently, the AttachmentFilter simply checks the filename for a valid extension. If you're just trying to encourage your users towards following your company polices, that's fine. However, as a security feature, it lacks something. What's to stop someone from uploading an .exe file that's been renamed to say .jpg? So, if the use of this plugin is to protect the wiki from malicious users, then the files themselves have to be verified to be what they say they are.
As a quick fix, I think it would be possible to exec an existing app (like the Unix 'file' command) to do this checking for us.
So, changes that would allow this would be:
- Configuration page provides:
- a way to turn this on
- a way to tell the plugin where the 'file' command is located on the system (/usr/bin/file)
- The AttachmentFilter.isValidExtension method, now passes a candidate filename to the file command (via Runtime.exec), and compares the return value against what it's expecting.
- Security concern: in order to do this we'll have to upload the file, so the file command can look at it. Does this mean we attach it, then remove it?
Filtering on a per Space basis
Currently, the Attachment Filter works only a global basis. Possibly, administrators might want to leverage this plugin on a per space basis.
I think the big issue here is providing
- a Configuration page from the Space Admin tab (so, adding another Web UI Plugin to do this)
- again, adjusting the AttachmentFilter.isValidExtension method to check for overriding Space configuration options.
- maybe a global setting to explicitly set non-overridable options. (A Global administrator might not want to allow anyone to let (for example) .exes anywhere. This might be especially important if non-global-admins had some Space administrative rights)
Comments (5)
Jan 04, 2007
Jack Pinette says:
Very interesting plugin. Along with being useful in it's own right, it's a...Very interesting plugin. Along with being useful in it's own right, it's a handy guide for a Confluence newbie such as myself toward making my own changes to the attachment process.
For example, my organization is more likely to want a blacklist than a whitelist, and would ideally combine a filename pattern blacklist with an external virus scan. This plugin gives me a good start in figuring out how to do this. Thanks!
Sep 24, 2007
Michael S. says:
Are there any plans to make this plug-in compatible with Confluence 2.5.x?Are there any plans to make this plug-in compatible with Confluence 2.5.x?
Sep 24, 2007
Laura Kolker says:
Hi Mike, Sorry you had to post this on top of emailing me. My bad. :/ I respon...Hi Mike,
Sorry you had to post this on top of emailing me. My bad. :/
I responded to your email, but in case any one else is curious about this, the short answer is:
Unfortunately, not at this time.
That being said, I've created a JIRA issue for this problem: http://developer.atlassian.com/jira/browse/ATFL-2
Cheers,
Laura
Apr 01, 2008
Royce Wong says:
Any update for this plugin? I am using Confluence 2.7.2.I don't see it in the pl...Any update for this plugin? I am using Confluence 2.7.2.I don't see it in the plugin repository. Thanks.
Apr 02, 2008
Laura Kolker says:
Hi Royce, As it happens, no, we don't have any recent versions. It's never been...Hi Royce,
As it happens, no, we don't have any recent versions. It's never been released for the plugin repository as it has upload-unfriendly install steps (some core Atlassian classes have to be overridden).
Thanks for your interest.
Cheers,
Laura