The AttachFile action enables a page to have multiple attached files. Since file uploads could be abused for DoS (Denial of Service) attacks, AttachFile is an action that may be enabled by the wiki administrator. To do this, add "allowed_actions = ['AttachFile']" to your configuration file.
How attachments are handled
Attachments are stored into a directory directly accessible by the web server, and can thus be served directly by the webserver, without any invocation of MoinMoin (leading to URLs like http://myorg.org/mywikiattach/<Somepage>/attachments/filename.ext).
The MoinMoin attachments configuration option allows you to move the directory structure used to store attachments to another location. Unless you have a reason for doing so, there is no need to use a different location. Using a different location may be more work and more risk, as all the existing attachments must be copied to the new location. The following instructions are for Apache servers and assume you intend to leave the attachment files in their existing location and your original installation used the name "mywiki".
Serving attachments directly by the web server
The first step is to tell Apache that it has another Alias directory from which it can serve files. Review the changes you made to the httpd.conf (or commonhttpd.conf) file during the MoinMoin installation and find the ScriptAlias statement similar to the following:
Be sure to note the differences in the trailing slashes between the two statements, they must be entered exactly as shown above. If you are making this change to a running system, you must restart Apache to have the change take effect.
The second step is to tell MoinMoin to let Apache do the work of fetching file attachments. To do this, you need to add an attachments option to .../mywiki/wikiconfig.py. The 'attachment' option is a dictionary of two values:
MoinMoin must still do the work of uploading file attachments. The dir value above tells MoinMoin where to store attachments; note this is the same as the path in the new Apache Alias statement but without the trailing "/". The url value tells MoinMoin how to retrieve the attachments; this matches the URI in the Alias statement but again without the trailing "/".
Your attached files are now directly servable by Apache. However if you also have PHP (or ASP or any other server parsed language) installed then an attacker can upload a PHP script an then run it to exploit other local weaknesses.
After you have completed the configuration changes, test by uploading an attachment for WikiSandBox. Then modify the WikiSandBox page to display the uploaded image or download the file. If there were existing attachments before this change, verify the old attachments are still available. Finally, review the Apache access.log file to verify you have a log entry showing the expected file access: