Manual:Configuring file uploads

MediaWiki supports uploading and integration of media files. This page describes the technical aspects of this feature, see Manual:Image Administration and Help:Images for general usage information.

Starting from MediaWiki version 1.1, uploads are initially disabled by default, due to security considerations. Uploads can be enabled via a configuration setting, although it is recommended that you check certain prerequisites first:

Make sure uploads are enabled in PHP
The following needs to be set in php.ini (which may be located somewhere like /etc/php/php.ini, /etc/php4/php.ini, /usr/local/lib/php.ini or on Win32 C:\Windows\php.ini):

If this is not set, no PHP scripts can use the upload functions, and MediaWiki's uploads will not be enabled.

Note that if you have open_basedir restrictions in 'php.ini', they need to include both the destination upload folder in your MediaWiki installation ("{$IP}/images") and also the 'upload_tmp_dir' folder (default system folder if not set). The addition of the 'upload_tmp_dir' can avoid messages like "Could not find file "/var/tmp/php31aWnF" (where in this example the 'upload_tmp_dir' is '/var/tmp'). Read more about PHP file uploads at File upload basics and in particular move_uploaded_file.

Note2: The formal value for the variable is a boolean expression. PHP treats each string, not recognised as a False value as true, hence the often used "on" value yields the same result.

Check Apache aliases
Some Apache configurations have the following alias set in httpd.conf: Alias /images/ /usr/share/images/ #Fixed in Apache 02:16, 2 June 2008 (UTC) If this is the case, either

or
 * remove this alias
 * change the upload directory to something else


 * How to test this? if you do not have access to the httpd.conf file of the web server?
 * Either ask your webserver admin or just try it, a commercial webhoster will have the above line disabled in most cases.

Check directory security
The upload directory needs to be configured so that it is not possible for an end user to upload and execute other scripts, which could then exploit access to your web directory and damage your wiki or web site.

Set the /images folder (or the /uploads folder in previous versions) to have permission "755":
 * User can read, write and execute;
 * Group can read and execute;
 * World can read and execute.

If using safe_mode, make sure the directory is owned by the user used for running the php script (that is, the apache user or, in case of suphp, the script owner).

If using SELinux, make sure to adjust the ACLs accordingly (see there).

If using suphp, make sure the umask is set to 0022 (or less) in /etc/suphp.conf.

1.5 upwards
In MediaWiki version 1.5 and later, the attribute to be set resides in LocalSettings.php and is as follows:

This enables uploads, as one might expect. To disable them, set the attribute to false:

Pre-1.5
In older versions of the software, the attribute to be set resides in LocalSettings.php, but is backwards, i.e. $wgDisableUploads. The default is as shown:

Invert the value to enable uploads:

Upload permissions
Per default, all registered users can upload files. To restrict this, you have to change Manual:$wgGroupPermissions:


 * To prevent normal users from uploading files: $wgGroupPermissions['user']['upload'] = false;
 * To create a special group called "uploadaccess", and allow members of that group to upload files: $wgGroupPermissions['uploadaccess']['upload'] = true;
 * To allow "autoconfirmed" (non-newbie) users to upload files: $wgGroupPermissions['autoconfirmed']['upload'] = true;

The right to replace existing files is handled by an extra permission, called reupload:
 * To prevent normal users from overriding existing files: $wgGroupPermissions['user']['reupload'] = false;
 * To allow "autoconfirmed" (non-newbie) users to replace existing files: $wgGroupPermissions['autoconfirmed']['reupload'] = true;

See Manual:User rights for details on user rights, and Manual:Preventing access for more information about restricting access.

Configuring file types
You can add to $wgFileExtensions to allow uploads of any type of file you like. If not included then the $wgFileExtensions line would look something like or or You can also set to allow most types of file to be uploaded. There are restrictions on some blacklisted filetypes. For more details see Meta:Uploading non image files.

If you are getting the error "The file is corrupt or has an incorrect extension", make sure mime type detection is working properly.

If you decide to allow any kind of file, make sure your mime detection is working and think about enabling virus scans for uploads.

Thumbnailing
For information about automatic rendering/thumbnailing of images, see Manual:Image_thumbnailing

Set maximum size for file uploads
Per default, PHP allows uploaded files to be no more than 2 megabytes large. If you want to upload even larger files, change in the config file php.ini the post_max_size and upload_max_filesize parameters. This may require root access to the server - if you are on a shared host, contact your server administrator. The location of the php.ini file varies on the distribution you are using. Try e.g., "locate php.ini", or better yet, just "php -i" to find the location of your config file. Your web server may impose further limits on the size of files allowed for upload. For Apache, one of the relevant settings is LimitRequestBody.

You may need to restart Apache after altering your PHP or web server configuration.

MediaWiki itself issues a warning if you try to upload files larger than what is specified by $wgUploadSizeWarning option. This is independent of the hard limit imposed by PHP. MediaWiki also has a $wgMaxUploadSize option, but that is currently not enforced for local file uploads.

Uploading directly from a URL
If you want to allow a user to directly upload files from a URL, instead of from a file on their local computer, set $wgAllowCopyUploads = true</tt>. On the upload form, you will then see an additional field for the URL, below the usual filename field. The URL field is greyed out per default, but can be activated by activating the radiobutton (checkbox) to the left of the field.

In order to use this feature, users must have the user right upload_by_url</tt>, which is granted only to sysops per default. To allow this to normal users, set </tt>$wgGroupPermissions['user']['upload_by_url'] = true</tt>. Keep in mind that allowing uploads directly from an arbitrary location on the web makes it easier to upload random, unwanted material, and it might be misunderstood as an invitation to upload anything that people might come across on the web.

Note: PHP's cURL support must be enabled to support this feature.

Undeleting images
Undeleting images is possible as an option since MediaWiki 1.8, and enabled per default since MediaWiki 1.11.

Prior to MediaWiki 1.11, you can enable undeletion of images by setting $wgSaveDeletedFiles = true. Since version 1.11, the behavior is controlled by $wgFileStore, and deleted files are per default stored in $wgUploadDirectory/deleted.