Attachments
Attachments can be uploaded either through the regular upload action, WebDAV, XML-RPC or Rest.
As an administrator you can set limits on the maximum size of an attachment and where the attachments will be stored.
Size Limit
The maximum size of an attachment is limited by a configuration parameter in the XWikiPreferences document. It is set to 100GB by default (32MB for XWiki < 10.9RC1).
To change it follow these steps:
- Go to http://<yourwiki>/xwiki/bin/edit/XWiki/XWikiPreferences?editor=object
- Click on the line that says XWikiPreferences 0 (right below the line that says Objects of type XWiki.XWikiPreferences (1))
- Scroll down to the field that says Maximum Upload Size and change the number to whatever size you want (it is expressed in bytes)
- Scroll to the bottom and click "Save"
- Repeat for each (sub)wiki for which you need to increase the size, since currrently this configuration has to be set per wiki
Mimetype Restriction
See Attachent Validation Application.
Versions
When a user uploads an attachment and then uploads another attachment with the exact same name, you can decide whether or not to keep a version history of the attachments like you do with documents.
XWiki stores all document attachment versions by default which costs more storage space. If you need only latest versions of attachments, you can disable attachment version control by editing your xwiki.cfg and adding:
Deletion
Deleted attachments are stored in a recycle bin so that they can be restored along with the document when rolling back or previewing an earlier version where the attachment should be visible. To disable this feature, edit xwiki.cfg and add:
You can view the list of deleted attachments in your wiki and delete them permanently by going to XWiki.DeletedAttachments in your wiki.
Attachment Storage
XWiki offers plugin attachment storage mechanisms so you can store your attachments in the database or directly in the filesystem.
Generally metadata for attachment and deleted attachments stay in the database whatever store is used for the content. The metadata contains the type of store used for the content allowing each attachment to choose a different store. The consequence is that what you configure is the default store for a new attachment and not the store used for all attachments.
Filesystem Attachment Store
XWiki 10.5+ The default.
The Filesystem attachment store saves your attachments in files in a directory tree. This means you will have one more thing to do when you back up your data but it also means you can save larger (over one gigabyte) files. Filesystem attachment store implements a two stage commit mechanism to maintain integrity even if the database fails to commit the attachment meta-data.
See Filesystem for more details about the XWiki Filesystem Store in general.
Filesystem attachment store location
By default the filsystem storage is located in a sub-folder (XWiki 11.0+ store/file or XWiki <11.0 storage) of the permanent directory (defined with the parameter environment.permanentDirectory in the xwiki.properties file). By default, the permanent directory ends up in the application server work directory, which is intended to be a temporary directory, so unless you are using a package that takes care of it for you (like the Debian package), it's highly recommended to set this value explicitly to be absolutely sure it's located in a safe location.
For example:
XWiki 11.4+
It's possible to set the location of the filesystem store without modifying the general permanent directory using property store.file.directory of the file xwiki.properties.
Format
Like the database, the filesystem store is based on entities (wiki, document, etc.). To reduce potential problems with very restrictive (in terms of supported encoding and path size) filesystems the paths is hashed.
For example the attachment in document is stored in the following location:
<databae name>/<first character of the document reference hash>/<second character of the document reference hash>/<remaining characters of the document reference hash>/attachments/<first character of the attachment name hash>/<second character of the attachment name hash>/<remaining characters of the attachment name hash>/f.<ext>
- xwiki
- 0
- 1
- 42dd85f30db08e0b07a656e2fd6160
- attachments
- c
- c
- 35d4b8e796c869289176c383aa3da3
- f.lnk
- fv1.1.png
- 35d4b8e796c869289176c383aa3da3
- c
- c
- attachments
- 42dd85f30db08e0b07a656e2fd6160
- 7
- d993d3bfbf84d0bbf1957f33d6cc93
- attachments
- 1
- 5
- fd58c6652b9302978713b8a8ef2a39
- f.lnk
- fv1.1.png
- fd58c6652b9302978713b8a8ef2a39
- 5
- 1
- attachments
- d993d3bfbf84d0bbf1957f33d6cc93
- 1
- 0
Other considerations
If you are running a cluster you will need to have a synchronized storage directory for each node. You can use NFS or other means to mount the disk on each node in the cluster.
Directory cleanup
XWiki 6.0+ It is possible to save time on startup by preventing XWiki from cleaning up empty directories in the Filesystem Attachment Store. To do this, edit xwiki.properties and set store.fsattach.cleanOnStartup to false. If you do this, you will be responsible for cleanup of empty directories yourself.
Database Attachment Store
XWiki <10.5 The default.
This attachment storage mechanism stores your attachments in database entries in the xwikiattachment_content, xwikiattachment_archive and xwikiattrecyclebin tables. This system allows for easy backup of your attachments by dumping the database and keeping all of your data together, but attachment size is memory constrained since the attachment content and archive must all be held in memory. As a general rule, attachments larger than 30MB are not possible.
Switch to database attachment store
These settings should read as follows:
xwiki.store.attachment.versioning.hint = hibernate
xwiki.store.attachment.recyclebin.content.hint=hibernate
# If you need to use database store for the attachment it's probably true for deleted attachments
xwiki.store.recyclebin.content.hint = hibernate
Also make sure they are not commented out.
Attachment display or download
When possible (see Security section below) attachments are displayed directly in the browser when accessed.
It is possible for developers to force-downloading an attachment by adding the parameter ?force-download=1 in the attachment URL.
XWiki 12.10+
it's possible to use a dedicated property in xwiki.properties to always force some attachment mime-types to be downloaded:
#-# Define the kind of attachment that you always want to be downloaded and never displayed inline.
#-# By default this list is empty, but you can specify a list of mime-types (coma separated list of values) which
#-# should be always downloaded no matter who attached them or what is the whitelist/blacklist configuration.
#-#
#-# The distinction with the blacklist configuration above is that the blacklist won't affect file attached by a user
#-# with programming rights, while this configuration affect any attachment.
# attachment.download.forceDownload=
Upload summary
XWiki 16.3.0+
You can enable upload summaries in xwiki.properties to let users add descriptions during attachment uploads.
#-# Indicate whether or not comments for attachment uploads should be settable from UI, and displayed whenever the
#-# attachment revisions are listed. The default is false.
# attachment.upload.enableComments=false
Security
In order to prevent attacks by using attachments, it's possible to control which attachments' can be directly opened on the browser based on their mimetypes.
Two properties in xwiki.properties allow to control that independently:
#-# Define the kind of attachment that can be displayed inline. You can either choose to do it through a whitelist
#-# (only the mimetypes defined in this list would be displayed inline) or a blacklist (every mimetype that is not in
#-# this list would be displayed inline if possible).
#-# Note that only one configuration is used between the whitelist and the blacklist, and the whitelist always have
#-# the priority over the blacklist. Also note that these configurations exist for security reason so they are only
#-# impacting attachments added by users who do not have programming rights.
#-# If you want to force downloading some attachments types please check the configuration below.
#-#
#-# By default we use the following whitelist (coma separated list of values).
# attachment.download.whitelist=audio/basic,audio/L24,audio/mp4,audio/mpeg,audio/ogg,audio/vorbis,audio/vnd.rn-realaudio,audio/vnd.wave,audio/webm,image/gif,image/jpeg,image/pjpeg,image/png,image/tiff,text/csv,text/plain,text/xml,text/rtf,video/mpeg,video/ogg,video/quicktime,video/webm,video/x-matroska,video/x-ms-wmv,video/x-flv
#-#
#-# If you prefer to use a blacklist instead, you can define the forbidden types here, as a coma separated list of
#-# values. We advise you to forbid at least the following mimetypes : text/html, text/javascript
# attachment.download.blacklist=text/html,text/javascript