Can you clarify this some, Andrew? > Let's talk about the first problem, as it sounds like you are uploading the > file directly to the images directory. This is a major security risk and you > should avoid this.
If appropriate formats are specified in the cffile "accept" parameter, what risk is there? Some kind of file that "fakes" its format or has malicious code embedded in it? And concerning your second concern below, I've always assumed that using the "accept" parameter was enough to verify file format and prevent malicious code from being uploaded in a file. What other tests are there that can be run to verify images? Thanks, Rick -----Original Message----- From: Andrew Scott [mailto:andr...@andyscott.id.au] Sent: Sunday, April 18, 2010 6:00 PM To: cf-talk Subject: RE: Can this be done? You actually have two problems here. Let's talk about the first problem, as it sounds like you are uploading the file directly to the images directory. This is a major security risk and you should avoid this. Second this gives you the opportunity to store the files into a temp directory that is not accessible by the web, in which you can the run what you need to make sure that they are indeed images and are of the required types before deleting them. Hope that helps. -----Original Message----- From: Matthew Friedman [mailto:m...@hozgroup.com] Sent: Monday, 19 April 2010 6:43 AM To: cf-talk Subject: Can this be done? We have a site where people are uploading images to our site. We are using cffile upload, checking the sizing resizing them - all is working great but.... about 2% of the images will sometimes be upload but not able to be displayed on the site - they might be set as CMYK or some other reason and there is the red x being displayed. Here is my question - since I have the full url to the image saved in the database is there any way that I can check the images that have been uploaded in the past hour and see if they are working in an automated format. My thoughts would be to just loop through the list by hour and using an http get to see the image - the question is there a host header error or notice that will indicate that the image is bad and we need to fix the image. We are trying to be proactive instead of reactive to clients telling us that there is a bad image on the list. Thanks for any incite. Matt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:332987 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
