I can see that the Auto-Attach Files feature can be a handy tool for hackers, but it does not fit into the corporate space of TWiki. Problems:
- It defeats the complete audit trail TWiki gives (there are UnknownUsers doing suff)
- It is seen as a security issue if an UnknownUser can change content (see below e-mail)
Therefore we should turn this feature off by default.
E-mail received:
> I prefere to email you than ask the support web as this is a little
> delicate.
>
> On our Main/WebHome page someone has attached 131 png files. I saw these
> last week and removed them but they have now been re-attached by
> UnknownUser. They look like this
>
> 4c7bcbae97ad322481c5cf3d35d7ac9b.png manage 0.2 K 05 Nov 2006 - 03:06
> UnknownUser
>
> They seem harmless enough but my problem is that I can not find how they
> were attached. There is nothing obvious from the web logs or the Twiki
> logs. I did remove them by hand on the unix shell however. Either Twiki
> has someone re-attached them or someone is playing around. We have
> kerberos authentication here and one has to be registered and
> authenticated to edit or attach.
>
> Can you spread some light on this please.
--
PTh
Done, 12000. (nice round number)
--
PTh
4.1.0 released
KJL