If you are worried about cfm files being uploaded, I suggest you put all uploaded files under the root and cfcontent them for display in a page.
-Adam On Sun, 12 Dec 2004 10:42:55 -0800, Matt Robertson <[EMAIL PROTECTED]> wrote: > But isn't the CFFILE ACCEPT parameter a more sound way to govern file > acceptability than a simple extension check? Sure on any given day > anything can be spoofed, but someone with a much higher knowledge > level would have to be making the attempt. > > I've seen literally dozens of attempts to send up bad file types, > followed by manipulation of the extension (I set up the uploader to > email me when such things happen, with details). These aren't > malicious users, but dopey, headstrong ones who want to get their way > or think the program is broken and they have this magic way to fix it > (instead they got a supervisory reprimand in their employee jackets). > They were typical cms users: staffers with just barely enough > knowledge to be dangerous, but no more. > > If I'm understanding you right and you're only doing extension checks > it just seems that you're not using an important feature of cffile. > Using both features would be ideal but on a given day with a typical > user I'd say cffile accept= was a lot more powerful piece of > protection. > > -- > --Matt Robertson-- > President, Janitor > MSB Designs, Inc. > mysecretbase.com > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Special thanks to the CF Community Suite Gold Sponsor - CFHosting.net http://www.cfhosting.net Message: http://www.houseoffusion.com/lists.cfm/link=i:4:187350 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
