Attachments (XWiki.org)

Attachments can be uploaded either through the regular [[upload action>>platform:Features.Attachments]], [[platform:Features.WebDAV]], [[XML-RPC>>extensions:Extension.XML-RPC Integration]] or [[Rest>>platform:Features.XWikiRESTfulAPI]].

6

As an administrator you can set limits on the maximum size of an attachment and where the attachments will be stored.

= Size Limit =

The maximum size of an attachment is limited by a configuration parameter in the //XWikiPreferences// document. It is set to 100GB by default (32MB for XWiki < 10.9RC1).

11

To change it follow these steps:

12

13

1. Go to //{{{http://<yourwiki>/xwiki/bin/edit/XWiki/XWikiPreferences?editor=object}}}//

14

1. Click on the line that says ##XWikiPreferences 0## (right below the line that says ##Objects of type XWiki.XWikiPreferences (1)##)

15

1. Scroll down to the field that says ##Maximum Upload Size## and change the number to whatever size you want (it is expressed in bytes)

16

1. Scroll to the bottom and click "Save"

17

18

19

Note that if you've already tried to attach a file and it failed, in order for the new size setting to be taken into account you might need to clear your browser's cache.

20

21

22

= Mimetype Restriction =

23

24

25

The mimetype allowed/blocked on a space can be configured.

26

27

== xwiki.properties ==

28

29

##xwiki.properties## allow to configure the default mimetype restrictions at farm level.

#-# [Since 14.10RC1]

#-# Define the list of allowed attachment mimetypes. By default, this list is empty, but you can specify a

34

#-# comma-separated list of allowed mimetypes. Note that a joker (*) can be used to accept any media type. Once this

35

#-# list is not empty, any attachment with an unlisted mimetype will be rejected.

36

#-# For instance, if you want to only accept plain text and any kind of images, you can set the list to:

37

#-# text/plain,image/*

38

# attachment.upload.allowList=

39

40

#-# [Since 14.10RC1]

41

#-# Define the list of blocked attachment mimetypes. By default, this list is empty, but you can specify a

42

#-# comma-separated list of blocked mimetypes. Note that a joker (*) can be used to accept any media type. Once this

43

#-# list is not empty, any attachment matching one of the listed mimetype will be rejected.

44

#-# For instance, if you want to reject plain text and any kind of images, you can set the list to:

45

#-# text/plain,image/*

46

#-#

47

# attachment.upload.blockList=

== Administration UI ==

52

53

The mimetype restrictions can also be configured at wiki or space level through the administration UI, by visiting the ##Attachments Restriction## section of the administration.

= Versions =

When a user uploads an attachment and then uploads another attachment with the exact same name, you can decide whether or not to keep a version history of the attachments like you do with documents.

58

XWiki stores all document attachment versions by default which costs more storage space. If you need only latest versions of attachments, you can disable attachment version control by editing your [[xwiki.cfg>>Documentation.AdminGuide.Configuration#HSamplexwiki.cfg]] and adding:

59

60

61

xwiki.store.attachment.versioning=0

= Deletion =

Deleted attachments are stored in a recycle bin so that they can be restored along with the document when rolling back or previewing an earlier version where the attachment should be visible. To disable this feature, edit [[xwiki.cfg>>Documentation.AdminGuide.Configuration#HSamplexwiki.cfg]] and add:

67

68

69

storage.attachment.recyclebin=0

70

71

72

You can view the list of deleted attachments in your wiki and delete them permanently by going to ##XWiki.DeletedAttachments## in your wiki.

73

74

= Attachment Storage =

75

76

XWiki offers plugin attachment storage mechanisms so you can store your attachments in the database or directly in the filesystem.

77

78

Generally metadata for attachment and deleted attachments stay in the database whatever store is used for the content. The metadata contains the type of store used for the content allowing each attachment to choose a different store. The consequence is that what you configure is the **default** store for a new attachment and not the store used for all attachments.

79

80

== Filesystem Attachment Store ==

81

82

83

The default since 10.5

84

85

86

The Filesystem attachment store saves your attachments in files in a directory tree. This means you will have one more thing to do when you back up your data but it also means you can save larger (over one gigabyte) files. Filesystem attachment store implements a two stage commit mechanism to maintain integrity even if the database fails to commit the attachment meta-data.

87

88

=== Filesystem attachment store location ===

89

90

By default the filsystem storage is located in a sub-folder (##store/file## since XWiki 11.0 and ##storage## before) of the permanent directory (defined with the parameter ##environment.permanentDirectory## in the ##xwiki.properties## file). By default it's defined to be ##data##, which is a directory relative to where the Java Servlet Container was started. It's recommend to modify this value to be absolute sure that you can start the Servlet Container from any directory and still have XWiki find the attachments located in this work directory.

For example:

environment.permanentDirectory=/opt/tomcat6/data

96

97

98

Since 11.4 it's possible to set the location of the filesystem store without modifying the general permanent directory using property ##store.file.directory## of the file ##xwiki.properties##.

99

100

101

store.file.directory=/my/custom/location

102

103

104

=== Other considerations ===

105

106

If you are running a [[cluster>>Documentation.AdminGuide.Clustering.WebHome]] you will need to have a synchronized storage directory for each node. You can use NFS or other means to mount the disk on each node in the cluster.

107

108

==== Directory cleanup ====

109

110

Since [[XWiki 6.0M2>>xwiki:ReleaseNotes.ReleaseNotesXWiki61M2]], it is possible to save time on startup by preventing XWiki from cleaning up empty directories in the Filesystem Attachment Store. To do this, edit ##xwiki.properties## and set **store.fsattach.cleanOnStartup** to false. If you do this, you will be responsible for cleanup of empty directories yourself.

111

112

== Database Attachment Store ==

113

114

115

The default before 10.5.

116

117

118

This attachment storage mechanism stores your attachments in database entries in the [[xwikiattachment_content>>platform:DevGuide.DsXWikiAttachmentContent]], [[xwikiattachment_archive>>platform:DevGuide.XWikiAttachmentArchive]] and [[xwikiattrecyclebin>>platform:DevGuide.DsXwikiRecycleBin]] tables. This system allows for easy backup of your attachments by dumping the database and keeping all of your data together, but attachment size is memory constrained since the attachment content and archive must all be held in memory. As a general rule, attachments larger than 30MB are not possible.

119

120

=== Switch to database attachment store ===

121

122

These settings should read as follows:

123

124

125

xwiki.store.attachment.hint = hibernate

126

xwiki.store.attachment.versioning.hint = hibernate

127

xwiki.store.attachment.recyclebin.content.hint=hibernate

128

129

# If you need to use database store for the attachment it's probably true for deleted attachments

130

xwiki.store.recyclebin.content.hint = hibernate

131

132

133

Also make sure they are not commented out.

134

135

136

When using this attachment store with a MySQL database, you must set the ##max_allowed_packet## to about 3 times the size of your largest attachment since the attachment and its version history must be saved. See the [[MySQL Installation guide>>Documentation.AdminGuide.InstallationMySQL]] for more information.

137

138

139

= Attachment display or download =

140

141

When possible (see [[Security section>>#HSecurity]] below) attachments are displayed directly in the browser when accessed.

142

It is possible for developers to force-downloading an attachment by adding the parameter ##?force-download=1## in the attachment URL.

143

144

145

it's possible to use a dedicated property in ##xwiki.properties## to always force some attachment mime-types to be downloaded:

#-# [Since 12.10]

#-# Define the kind of attachment that you always want to be downloaded and never displayed inline.

150

#-# By default this list is empty, but you can specify a list of mime-types (coma separated list of values) which

151

#-# should be always downloaded no matter who attached them or what is the whitelist/blacklist configuration.

152

#-#

153

#-# The distinction with the blacklist configuration above is that the blacklist won't affect file attached by a user

154

#-# with programming rights, while this configuration affect any attachment.

155

# attachment.download.forceDownload=

= Security =

In order to prevent attacks by using attachments, it's possible to control which attachments' can be directly opened on the browser based on their mimetypes.

162

Two properties in ##xwiki.properties## allow to control that independently:

#-# [Since 5.2M2]

#-# Define the kind of attachment that can be displayed inline. You can either choose to do it through a whitelist

167

#-# (only the mimetypes defined in this list would be displayed inline) or a blacklist (every mimetype that is not in

168

#-# this list would be displayed inline if possible).

169

#-# Note that only one configuration is used between the whitelist and the blacklist, and the whitelist always have

170

#-# the priority over the blacklist. Also note that these configurations exist for security reason so they are only

171

#-# impacting attachments added by users who do not have programming rights.

172

#-# If you want to force downloading some attachments types please check the configuration below.

173

#-#

174

#-# By default we use the following whitelist (coma separated list of values).

175

# attachment.download.whitelist=audio/basic,audio/L24,audio/mp4,audio/mpeg,audio/ogg,audio/vorbis,audio/vnd.rn-realaudio,audio/vnd.wave,audio/webm,image/gif,image/jpeg,image/pjpeg,image/png,image/tiff,text/csv,text/plain,text/xml,text/rtf,video/mpeg,video/ogg,video/quicktime,video/webm,video/x-matroska,video/x-ms-wmv,video/x-flv

176

#-#

177

#-# If you prefer to use a blacklist instead, you can define the forbidden types here, as a coma separated list of

178

#-# values. We advise you to forbid at least the following mimetypes : text/html, text/javascript

179

# attachment.download.blacklist=text/html,text/javascript

180

Wiki source code of Attachments

Quick Links

Navigation

About

About

Support

Platform

User Guide

Admin Guide

Developer Guide

Projects

XWiki

Extensions

Other

Contribute

Status

Practices

Under the Hood

Get Involved

Get Connected

author	version	line-number	content
		1	{{box cssClass="floatinginfobox" title="Contents"}}
		2	{{toc/}}
		3	{{/box}}
		4
		5	Attachments can be uploaded either through the regular [[upload action>>platform:Features.Attachments]], [[platform:Features.WebDAV]], [[XML-RPC>>extensions:Extension.XML-RPC Integration]] or [[Rest>>platform:Features.XWikiRESTfulAPI]].
		6	As an administrator you can set limits on the maximum size of an attachment and where the attachments will be stored.
		7
		8	= Size Limit =
		9
		10	The maximum size of an attachment is limited by a configuration parameter in the //XWikiPreferences// document. It is set to 100GB by default (32MB for XWiki < 10.9RC1).
		11	To change it follow these steps:
		12
		13	1. Go to //{{{http://<yourwiki>/xwiki/bin/edit/XWiki/XWikiPreferences?editor=object}}}//
		14	1. Click on the line that says ##XWikiPreferences 0## (right below the line that says ##Objects of type XWiki.XWikiPreferences (1)##)
		15	1. Scroll down to the field that says ##Maximum Upload Size## and change the number to whatever size you want (it is expressed in bytes)
		16	1. Scroll to the bottom and click "Save"
		17
		18	{{warning}}
		19	Note that if you've already tried to attach a file and it failed, in order for the new size setting to be taken into account you might need to clear your browser's cache.
		20	{{/warning}}
		21
		22	= Mimetype Restriction =
		23
		24	{{version since='14.10RC1'}}
		25	The mimetype allowed/blocked on a space can be configured.
		26
		27	== xwiki.properties ==
		28
		29	##xwiki.properties## allow to configure the default mimetype restrictions at farm level.
		30
		31	{{code language='properties'}}
		32	#-# [Since 14.10RC1]
		33	#-# Define the list of allowed attachment mimetypes. By default, this list is empty, but you can specify a
		34	#-# comma-separated list of allowed mimetypes. Note that a joker (*) can be used to accept any media type. Once this
		35	#-# list is not empty, any attachment with an unlisted mimetype will be rejected.
		36	#-# For instance, if you want to only accept plain text and any kind of images, you can set the list to:
		37	#-# text/plain,image/*
		38	# attachment.upload.allowList=
		39
		40	#-# [Since 14.10RC1]
		41	#-# Define the list of blocked attachment mimetypes. By default, this list is empty, but you can specify a
		42	#-# comma-separated list of blocked mimetypes. Note that a joker (*) can be used to accept any media type. Once this
		43	#-# list is not empty, any attachment matching one of the listed mimetype will be rejected.
		44	#-# For instance, if you want to reject plain text and any kind of images, you can set the list to:
		45	#-# text/plain,image/*
		46	#-#
		47	# attachment.upload.blockList=
		48	{{/code}}
		49	{{/version}}
		50
		51	== Administration UI ==
		52
		53	The mimetype restrictions can also be configured at wiki or space level through the administration UI, by visiting the ##Attachments Restriction## section of the administration.
		54
		55	= Versions =
		56
		57	When a user uploads an attachment and then uploads another attachment with the exact same name, you can decide whether or not to keep a version history of the attachments like you do with documents.
		58	XWiki stores all document attachment versions by default which costs more storage space. If you need only latest versions of attachments, you can disable attachment version control by editing your [[xwiki.cfg>>Documentation.AdminGuide.Configuration#HSamplexwiki.cfg]] and adding:
		59
		60	{{code language="none"}}
		61	xwiki.store.attachment.versioning=0
		62	{{/code}}
		63
		64	= Deletion =
		65
		66	Deleted attachments are stored in a recycle bin so that they can be restored along with the document when rolling back or previewing an earlier version where the attachment should be visible. To disable this feature, edit [[xwiki.cfg>>Documentation.AdminGuide.Configuration#HSamplexwiki.cfg]] and add:
		67
		68	{{code language="none"}}
		69	storage.attachment.recyclebin=0
		70	{{/code}}
		71
		72	You can view the list of deleted attachments in your wiki and delete them permanently by going to ##XWiki.DeletedAttachments## in your wiki.
		73
		74	= Attachment Storage =
		75
		76	XWiki offers plugin attachment storage mechanisms so you can store your attachments in the database or directly in the filesystem.
		77
		78	Generally metadata for attachment and deleted attachments stay in the database whatever store is used for the content. The metadata contains the type of store used for the content allowing each attachment to choose a different store. The consequence is that what you configure is the default store for a new attachment and not the store used for all attachments.
		79
		80	== Filesystem Attachment Store ==
		81
		82	{{info}}
		83	The default since 10.5
		84	{{/info}}
		85
		86	The Filesystem attachment store saves your attachments in files in a directory tree. This means you will have one more thing to do when you back up your data but it also means you can save larger (over one gigabyte) files. Filesystem attachment store implements a two stage commit mechanism to maintain integrity even if the database fails to commit the attachment meta-data.
		87
		88	=== Filesystem attachment store location ===
		89
		90	By default the filsystem storage is located in a sub-folder (##store/file## since XWiki 11.0 and ##storage## before) of the permanent directory (defined with the parameter ##environment.permanentDirectory## in the ##xwiki.properties## file). By default it's defined to be ##data##, which is a directory relative to where the Java Servlet Container was started. It's recommend to modify this value to be absolute sure that you can start the Servlet Container from any directory and still have XWiki find the attachments located in this work directory.
		91
		92	For example:
		93
		94	{{code}}
		95	environment.permanentDirectory=/opt/tomcat6/data
		96	{{/code}}
		97
		98	Since 11.4 it's possible to set the location of the filesystem store without modifying the general permanent directory using property ##store.file.directory## of the file ##xwiki.properties##.
		99
		100	{{code}}
		101	store.file.directory=/my/custom/location
		102	{{/code}}
		103
		104	=== Other considerations ===
		105
		106	If you are running a [[cluster>>Documentation.AdminGuide.Clustering.WebHome]] you will need to have a synchronized storage directory for each node. You can use NFS or other means to mount the disk on each node in the cluster.
		107
		108	==== Directory cleanup ====
		109
		110	Since [[XWiki 6.0M2>>xwiki:ReleaseNotes.ReleaseNotesXWiki61M2]], it is possible to save time on startup by preventing XWiki from cleaning up empty directories in the Filesystem Attachment Store. To do this, edit ##xwiki.properties## and set store.fsattach.cleanOnStartup to false. If you do this, you will be responsible for cleanup of empty directories yourself.
		111
		112	== Database Attachment Store ==
		113
		114	{{info}}
		115	The default before 10.5.
		116	{{/info}}
		117
		118	This attachment storage mechanism stores your attachments in database entries in the [[xwikiattachment_content>>platform:DevGuide.DsXWikiAttachmentContent]], [[xwikiattachment_archive>>platform:DevGuide.XWikiAttachmentArchive]] and [[xwikiattrecyclebin>>platform:DevGuide.DsXwikiRecycleBin]] tables. This system allows for easy backup of your attachments by dumping the database and keeping all of your data together, but attachment size is memory constrained since the attachment content and archive must all be held in memory. As a general rule, attachments larger than 30MB are not possible.
		119
		120	=== Switch to database attachment store ===
		121
		122	These settings should read as follows:
		123
		124	{{code language="none"}}
		125	xwiki.store.attachment.hint = hibernate
		126	xwiki.store.attachment.versioning.hint = hibernate
		127	xwiki.store.attachment.recyclebin.content.hint=hibernate
		128
		129	# If you need to use database store for the attachment it's probably true for deleted attachments
		130	xwiki.store.recyclebin.content.hint = hibernate
		131	{{/code}}
		132
		133	Also make sure they are not commented out.
		134
		135	{{info}}
		136	When using this attachment store with a MySQL database, you must set the ##max_allowed_packet## to about 3 times the size of your largest attachment since the attachment and its version history must be saved. See the [[MySQL Installation guide>>Documentation.AdminGuide.InstallationMySQL]] for more information.
		137	{{/info}}
		138
		139	= Attachment display or download =
		140
		141	When possible (see [[Security section>>#HSecurity]] below) attachments are displayed directly in the browser when accessed.
		142	It is possible for developers to force-downloading an attachment by adding the parameter ##?force-download=1## in the attachment URL.
		143
		144	{{version since="12.10"}}
		145	it's possible to use a dedicated property in ##xwiki.properties## to always force some attachment mime-types to be downloaded:
		146
		147	{{code language="none"}}
		148	#-# [Since 12.10]
		149	#-# Define the kind of attachment that you always want to be downloaded and never displayed inline.
		150	#-# By default this list is empty, but you can specify a list of mime-types (coma separated list of values) which
		151	#-# should be always downloaded no matter who attached them or what is the whitelist/blacklist configuration.
		152	#-#
		153	#-# The distinction with the blacklist configuration above is that the blacklist won't affect file attached by a user
		154	#-# with programming rights, while this configuration affect any attachment.
		155	# attachment.download.forceDownload=
		156	{{/code}}
		157	{{/version}}
		158
		159	= Security =
		160
		161	In order to prevent attacks by using attachments, it's possible to control which attachments' can be directly opened on the browser based on their mimetypes.
		162	Two properties in ##xwiki.properties## allow to control that independently:
		163
		164	{{code language="none"}}
		165	#-# [Since 5.2M2]
		166	#-# Define the kind of attachment that can be displayed inline. You can either choose to do it through a whitelist
		167	#-# (only the mimetypes defined in this list would be displayed inline) or a blacklist (every mimetype that is not in
		168	#-# this list would be displayed inline if possible).
		169	#-# Note that only one configuration is used between the whitelist and the blacklist, and the whitelist always have
		170	#-# the priority over the blacklist. Also note that these configurations exist for security reason so they are only
		171	#-# impacting attachments added by users who do not have programming rights.
		172	#-# If you want to force downloading some attachments types please check the configuration below.
		173	#-#
		174	#-# By default we use the following whitelist (coma separated list of values).
		175	# attachment.download.whitelist=audio/basic,audio/L24,audio/mp4,audio/mpeg,audio/ogg,audio/vorbis,audio/vnd.rn-realaudio,audio/vnd.wave,audio/webm,image/gif,image/jpeg,image/pjpeg,image/png,image/tiff,text/csv,text/plain,text/xml,text/rtf,video/mpeg,video/ogg,video/quicktime,video/webm,video/x-matroska,video/x-ms-wmv,video/x-flv
		176	#-#
		177	#-# If you prefer to use a blacklist instead, you can define the forbidden types here, as a coma separated list of
		178	#-# values. We advise you to forbid at least the following mimetypes : text/html, text/javascript
		179	# attachment.download.blacklist=text/html,text/javascript
		180	{{/code}}