I've never allowed ftp access to my apps, but I do allow file uploads of images and such through file managers built into the app
session scope includes a #session.homedir# value unique to each user.. when they upload a file (i use cffm) it lands in their home directory, and can then be referenced: <img src="#member.homedir#\#request.imagename#"> or <img src="#application.dsp.getProfileImage(memberid)#"> This setup silos uploads into discrete directories for individuals, but all of the uploaded images are publicly accessible in this implementation. On Fri, Oct 9, 2009 at 2:59 PM, Robert Harrison <[email protected]>wrote: > > This is what I thought. > > Option 3 sounds the most realistic. Still, another project with scope creep > and no budget increase. > > > Robert B. Harrison > Director of Interactive Services > Austin & Williams > 125 Kennedy Drive, Suite 100 > Hauppauge NY 11788 > P : 631.231.6600 Ext. 119 > F : 631.434.7022 > http://www.austin-williams.com > > Great advertising can't be either/or. It must be &. > > Plug in to our blog: A&W Unplugged > http://www.austin-williams.com/unplugged > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: Friday, October 09, 2009 2:45 PM > To: cf-talk > Subject: RE: application.cfc for security > > > Not if the files being uploaded are things like images, or text files. > Requests for those file types aren't routed through ColdFusion. Instead > the webserver hands the files directly back to the user. > > Options: > 1) Store the files outside of the webroot and only allow programmatic > access via cfcontent which allows you do check session security (best > for security) > 2) Associate all files with ColdFusion and write a custom servlet filter > to intercept these. (NOT recommend) > 3) Enforce security at the web server with .htaccess or equivalent. > This would NOT have access to your ColdFusion session scope, but rather > would be a separate list of user names and passwords you could > administer to control how could access that directory. > > ~Brad > > -------- Original Message -------- > Subject: application.cfc for security > From: "Robert Harrison" <[email protected]> > Date: Fri, October 09, 2009 1:33 pm > To: cf-talk <[email protected]> > > > I have a situation where is a user is creating subdirectories in a > directory > that I know. He's also uploading files via FTP. I know the name of the > root > directory, but don't necessarily know the name of the subdirectories and > files. > > Is there any way I can put an application.cfc in the root directory so > it > would do a redirect on anyone who does not have the right credentials > (e.g., > a session variable)? > > I know I can make it work on all the .cfm files in the subs... but is > there > a way I can I make it work for all files? > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:327078 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
