> The hackers see it as a golden opportunity to do > a drive-by upload of your entire hard drive.
But why is there more risk for a user to upload a single directory, and *only* a single directory of their choosing than to upload single files. Is it just to protect them from themselves? With the limitation of the function to one directory without recursion, I don't see how those poses risk to a user's or my server's hard drive. No recursion and limitation on file types... How would the "one folder" method be more risky than the "one file" method? And I'm asking because I really want to understand, not because I think I know what's better... > -----Original Message----- > From: Justin Scott [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 28, 2008 7:11 PM > To: CF-Talk > Subject: Re: Pre-filling FileField Values > > > However, if I want to take responsibility to designate an entire folder > > of files for upload, I should be able to do that, too. Not just one file > > at a time, but choose the folder and all its contents. > > > > Why not? > > I think you're completely missing the whole security issue that would be > created if they allowed that. You see it as functionality to make life > easier for the users. The hackers see it as a golden opportunity to do > a drive-by upload of your entire hard drive. Fortunately the people who > design the protocols and standards have the ability to recognize this, > and I, for one, am thankful for that. > > > -Justin Scott ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311769 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
