Robertson [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 24, 2006 8:33 PM
To: CF-Talk
Subject: Re: Mime Type for File Upload
Bear in mind that cffile simply matches the mime type to its allowed
extension... so if someone wants to upload an .exe file all they have
to do is give it a .pdf
submit form.cfm to
upload.php and then redirect back to form.cfm
Cheers,
Martyn
-Original Message-
From: Rick Faircloth [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 26, 2006 1:18 AM
To: CF-Talk
Subject: RE: Mime Type for File Upload
if someone wants to upload an .exe file all
Rick Faircloth wrote:
Need to specify the CFFILE Accept attributes for .doc and .pdf.
What would those be?
I know Accept = application/msword would accept
Word docs, but would they be limited .doc filetype?
And what about .pdf. application or text or ???
I want to limit uploads to .doc
I've never use PHP, so I'll have to do some
work to get that done...I'll check it out...
Thanks for the tip!
Rick
-Original Message-
From: Martyn Bowis [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 25, 2006 8:42 AM
To: CF-Talk
Subject: RE: Mime Type for File Upload
Hi Rick,
Use
Use PHP as this can definitely determine mime type as well as
file extension.
I'm pretty sure that, just like CF, PHP just looks at the MIME type it's
given. So, if you're using CF for everything else, you might as well use it
for this also. You use the ACCEPT attribute of CFFILE to list
if someone wants to upload an .exe file all they have to do
is give it a .pdf extension. Plan your security for that as
best you can.
What type of security can prevent that? What can truly
determine what type of file a file is except by extension?
Well, the extension isn't what
Thanks for the advice, Mosh!
Rick
-Original Message-
From: Mosh Teitelbaum [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 25, 2006 9:44 AM
To: CF-Talk
Subject: RE: Mime Type for File Upload
Rick Faircloth wrote:
Need to specify the CFFILE Accept attributes for .doc and .pdf
: Mime Type for File Upload
if someone wants to upload an .exe file all they have to do
is give it a .pdf extension. Plan your security for that as
best you can.
What type of security can prevent that? What can truly
determine what type of file a file is except by extension?
Well
Thanks for the advice, Dave...and what does this mean in practice?
you don't want to allow files to be placed where they could
be potentially executed.
Set the permissions on the directory where you write these files so that
they can't be executed by CF or your web server, and don't make
Thanks!
-Original Message-
From: Dave Watts [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 25, 2006 11:22 AM
To: CF-Talk
Subject: RE: Mime Type for File Upload
Thanks for the advice, Dave...and what does this mean in practice?
you don't want to allow files to be placed where
Hi again,
If CFFile does not read the file content when uploading, then perhaps you
can use CFFILE to read the BINARY content of that file that has been
uploaded (before renaming or making it available anywhere for anyone to
access) and determine its header makeup from that?
See the following
http://www.webmaster-toolkit.com/mime-types.shtml
Need to specify the CFFILE Accept attributes
for .doc and .pdf.
What would those be?
I know Accept = application/msword would accept
Word docs, but would they be limited .doc filetype?
And what about .pdf. application or text or ???
I
Hi Rick,
The following is a list of mime types:
http://www.netdesign.co.nz/mime.htm
I suggest that you use a cfswitch to validate your file uploads (see below).
You could also add another switch that evaluates mime type ... Which I
assume you are already doing, hence the need for the list.
Bear in mind that cffile simply matches the mime type to its allowed
extension... so if someone wants to upload an .exe file all they have
to do is give it a .pdf extension. Plan your security for that as
best you can. For example don't allow file renaming!
--
[EMAIL PROTECTED]
Janitor, MSB
headers to get the
mime type. If not, then perhaps PHP is safer for file upload processing ?
Cheers,
Martyn
-Original Message-
From: Matt Robertson [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 25, 2006 1:33 PM
To: CF-Talk
Subject: Re: Mime Type for File Upload
Bear in mind
:[EMAIL PROTECTED]
Sent: Tuesday, October 24, 2006 8:21 PM
To: CF-Talk
Subject: RE: Mime Type for File Upload
Hi Rick,
The following is a list of mime types:
http://www.netdesign.co.nz/mime.htm
I suggest that you use a cfswitch to validate your file uploads (see below).
You could also add another
Thanks for the tip, Matt...
Is that what Martyn's CFSwitch routine would do?
Rick
-Original Message-
From: Matt Robertson [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 24, 2006 8:33 PM
To: CF-Talk
Subject: Re: Mime Type for File Upload
Bear in mind that cffile simply matches
Thanks for the reference, Dave...
Rick
-Original Message-
From: Dave Lyons [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 24, 2006 8:06 PM
To: CF-Talk
Subject: Re: Mime Type for File Upload
http://www.webmaster-toolkit.com/mime-types.shtml
on Google, the coder's best adviser :o) Just search under PHP File
Upload
-Original Message-
From: Rick Faircloth [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 25, 2006 2:49 PM
To: CF-Talk
Subject: RE: Mime Type for File Upload
Not quite sure what's happening here on the user
Thanks for the explanation, Martyn...I see about implementing
that security feature...
Rick
-Original Message-
From: Martyn Bowis [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 24, 2006 10:22 PM
To: CF-Talk
Subject: RE: Mime Type for File Upload
Hi Rick,
When the user submits
Hi again Rick,
I guess what you really need is something simple like:
cfset filePath = File.ServerDirectory / File.ServerFile
cfset ext = File.ServerFileExt
cfset mimetype =
#getPageContext().getServletContext().getMimeType(filePath)#
cfswitch expression=#ext#
cfcase value=pdf
-Original Message-
From: Martyn Bowis [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 24, 2006 10:21 PM
To: CF-Talk
Subject: RE: Mime Type for File Upload
PS: I found the following link on Google that may help with
evaluating the
mime type:
http://www.houseoffusion.com
22 matches
Mail list logo