Ooooohhhh! That's handy ;-)
At 03:35 PM 1/30/03 +0000, you wrote:
>becuase you can do this
>
><cffile action=read file="ntuser.dat" >
>
>
>WG
>
> > -----Original Message-----
> > From: paul smith [mailto:[EMAIL PROTECTED]]
> > Sent: 30 January 2003 15:13
> > To: CF-Talk
> > Subject: RE: Screening files before CFFile upload: Follow-up
> >
> >
> > Since file upload is part of the http protocol why is CFFILE considered
> > such a security risk?
> >
> > best, paul
> >
> > At 02:24 PM 1/30/03 +0000, you wrote:
> > >Hi,
> > >
> > > > Follow-up yesterday's thread of trying to screen files before
> > > > uploading with
> > > > cffile:
> > >
> > >I didn't comment on this tread yesterday..so...
> > >
> > > > Just did some comparing of the MX behavior with CF5, to see
> > if could glean
> > > > any valuable info from initial form before uploading using cffile
> > > > using CF5:
> > >
> > >File upload, is part of the http protocol, nothing to do with
> > cf. Files are
> > >uploaded as mime attachments. The only thing available to cf is the post
> > >data, fields plus data, mime attachments, and anything else the browser
> > >supplies (cookies, agent string etc. )
> > >
> > > > If did a cfdump of the form (initial form with file to upload), in MX,
> > > > regardless the type of file to be uploaded, it showed the
> > form field value
> > > > as
> > > > that temporary file (.tmp) --nothing to suggest the actual
> > extension, etc.
> > > > (Will probably use a JavaScript routine as a partial check.)
> > >
> > >The file is nearly always (exception below) uploaded to a tmp
> > file. Once you
> > >call cffile the file is copied to the filename/location you supply. Maybe
> > >renamed to the clientfile name which is supplied in the mime header.
> > >
> > > > In CF5, however, if the file to be uploaded was something
> > like .jpg, .doc,
> > > > it showed in dump as temporary files (.tmp).
> > > > But for things like .txt or .htm, it showed the total rendered
> > > > file in dump!
> > > > Not the name--the actual processed page!
> > >
> > >This is because the mime type for both htm & txt is plain/text so the
> > >browser can just upload it as a field.
> > >
> > >It takes an understanding of http, to know _WHY_ this is the way it is.
> > >Web developers really need to read the RFC's !!!!
> > >
> > >There are ways and means of figuring out what size a file is _before_ is
> > >uploaded.
> > >
> > >a) applet
> > >b) activeX
> > >c) java script in the newer browsers with the permissions set
> > for JS to read
> > >local files
> > >
> > >However none of these are reliable.
> > >
> > > > Gotta get some productive work accomplished. Could investigate
> > > > this forever!
> > >
> > >Fun huh ?;-)
> > >
> > >WG
> > >
> > >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription:
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
This list and all House of Fusion resources hosted by CFHosting.com. The place for
dependable ColdFusion Hosting.
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
