A few other safety tips for uploads: -Upload files into a temp directory then copy them over to their final destination. If you can, remove execute permissions on the file. If its just for download read and write should be sufficient. -Virus scan everything that gets uploaded into the temp directory. You can use cfexecute to talk to your Anti-virus prog through the command line or a batch file to do the scan. -Always upload into a non-public directory. Make sure that the file cannot be accessed through the url. -Use cfcontent and cfheader to push the file to the browser out of your non-public directory. I included some code I have used in the past to achieve this at the end of this message. I would love any hints or suggestions people have to do this better.
One of the most common ways a hacker tries to get into your system is by uploading a file and trying to execute it through your web server. They will upload batch, cfm, perl, php, etc scripts that will give them complete access to your machine. They have figured out how to embed viruses into pdf, quicktime and windows media files so the virus scan is essential to protect your users. Clam AV does a good job of keeping their virus defs up to date if you are on a tight budget. Plus they have a version for all of the major OS's. http://www.clamav.net/binary.html#pagestart I hope that helps, Dave <cfquery datasource="#application.dsn#" name="GetDownloadDoc" maxrows="1"> SELECT Documents.Doc_Id, Documents.DocTitle, Documents.filename, Documents.DatePosted, Documents.PickedUp, DocPermissions.Permission_Id FROM Documents INNER JOIN DocPermissions ON Documents.Doc_Id = DocPermissions.Doc_Id WHERE (DocPermissions.Company_id = #Session.Company_Id# And DocPermissions.Doc_id = #url.Doc_id#) </cfquery> <cfif GetDownloadDoc.Recordcount EQ 0> <br><br> <center><font color="red" size="+1">This file does not exists or you do not have the correct permissions</font></center> <cfabort> </cfif> <cfinclude template="DownloadTracking.cfm"> <!--- <cfset fileName = GetDownloadDoc.filename> <cfset itemsInList = listLen(fileName, ".")> <cfif itemsInList GT 1> <cfset fileExt = listGetAt(fileName, itemsInList, ".")> <cfelse> <cfset fileExt = ""> </cfif> <!-- find the proper MIME type --> <CFIF fileExt is ''> <CFSET fileType = "unknown"> <CFELSEIF fileExt is 'pdf'> <CFSET fileType = "application/pdf"> <CFELSEIF fileExt is 'doc'> <CFSET fileType = "application/msword"> <CFELSEIF fileExt is 'aif'> <CFSET fileType = "audio/aiff"> <CFELSEIF fileExt is 'aiff'> <CFSET fileType = "audio/aiff"> <CFELSEIF fileExt is 'art'> <CFSET fileType = "image/x-jg"> <CFELSEIF fileExt is 'cil'> <CFSET fileType = "application/vnd.ms-artgalry"> <CFELSEIF fileExt is 'gif'> <CFSET fileType = "image/gif"> <CFELSEIF fileExt is 'htm'> <CFSET fileType = "text/html"> <CFELSEIF fileExt is 'html'> <CFSET fileType = "text/html"> <CFELSEIF fileExt is 'txt'> <CFSET fileType = "text/plain"> <CFELSEIF fileExt is 'xls'> <CFSET fileType = "application/vnd.ms-excel"> <CFELSE> <CFSET fileType = "unknown"> </CFIF> ---> <cfoutput> <!--- #Application.FileRoot#\#GetDownloadDoc.filename#|#fileType# ---> <cfheader name="Content-Disposition" value="inline; filename=#Url.filename#"> <CFCONTENT TYPE="application/unknown" FILE="#Application.FileRoot#/ #GetDownloadDoc.filename#" DELETEFILE="No"> </cfoutput> On Sep 9, 2005, at 1:15 PM, Tangorre, Michael wrote: >> From: daniel kessler [mailto:[EMAIL PROTECTED] >> So, how would I structure an "accept" so that it does this? >> Also, which other types of files should I exclude? If it's >> an include-only list then I don't have to exclude but I don't >> know which file types to enter ahead of time because I may >> know a few of the file types ahead of time, but probably not >> all of them. So I'd rather exclude, I think. >> > > I'd specify as many as you WANT to allow and let the users who have > issues with the "other" documents let you know. > > <!--- in Application.cfm ---> > > //Allowable file MIME types > application.globalVars.acceptableMIMETypes = ""; > ListAppend(application.acceptableMIMETypes,"application/excel",","); > ListAppend(application.acceptableMIMETypes,"application/vnd.ms- > excel",", > "); > ListAppend(application.acceptableMIMETypes,"application/x-excel",","); > ListAppend(application.acceptableMIMETypes,"application/x- > msexcel",","); > ListAppend(application.acceptableMIMETypes,"application/x- > mspowerpoint", > ","); > ListAppend(application.acceptableMIMETypes,"application/vnd.ms- > powerpoin > t",","); > ListAppend(application.acceptableMIMETypes,"application/ > powerpoint",",") > ; > ListAppend(application.acceptableMIMETypes,"application/ > mspowerpoint",", > "); > ListAppend(application.acceptableMIMETypes,"application/msword",","); > ListAppend(application.acceptableMIMETypes,"application/x-visio",","); > ListAppend(application.acceptableMIMETypes,"application/ > wordperfect","," > ); > ListAppend(application.acceptableMIMETypes,"application/x- > compressed",", > "); > ListAppend(application.acceptableMIMETypes,"application/x-zip- > compressed > ",","); > ListAppend(application.acceptableMIMETypes,"application/pdf",","); > ListAppend(application.acceptableMIMETypes,"application/zip",","); > ListAppend(application.acceptableMIMETypes,"multipart/x-zip",","); > ListAppend(application.acceptableMIMETypes,"text/plain",","); > ListAppend(application.acceptableMIMETypes,"text/html",","); > ListAppend(application.acceptableMIMETypes,"image/png",","); > ListAppend(application.acceptableMIMETypes,"image/pjpeg",","); > ListAppend(application.acceptableMIMETypes,"image/jpeg",","); > ListAppend(application.acceptableMIMETypes,"image/gif",","); > ListAppend(application.acceptableMIMETypes,"image/bmp",","); > ListAppend(application.acceptableMIMETypes,"image/x-windows-bmp",","); > > <!--- on page where upload takes place ---> > > <cffile > .... > accept="#application.acceptableMIMETypes#"> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:217871 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
