I am not sure how cffile or cfimage handles it, but I do know that if you pass a file to some of the Java classes and it's not a legit image file, it will let you know. You can also write a cfc into this that can check file types to limit what file types get past and that will reduce the amount of crap...
I just wrote a cfc based off of Ben Nadel's image utils cfc that creates dynamic images on the fly...you might want to look at that. It will kick back a file if you say taker a text file and rename the ext to jpg. -----Original Message----- From: denstar [mailto:[email protected]] Sent: Saturday, November 06, 2010 12:59 AM To: cf-talk Subject: Re: Getting rid of maliceous code embedded in a jpg On Fri, Nov 5, 2010 at 8:27 PM, Terry Troxel wrote: > > I am trying to allow perspective clients to try my templates > image tools in order to see if it will help sway them. > I do not have any image samples with malicious code nor do I want any. > My question is if I use the coldfusion image tags or my trusty cf_imagecr > after the upload will it remove any of this or how about I save it as a png? > I do not want to open up any possible security issues. There was an awesome thread on the Railo list, titled "CFFile and MIME types", that covered this issue a bit. I think in the end, a virus scanner was the best bet? Maybe trying to convert the image to a different type would do the trick too, I can't remember if that was covered. There was a link for something that looked interesting: http://hul.harvard.edu/jhove/ But I don't know if it would work. I never got around to writing a wrapper for it to test with. =) I bet conversion would be enough, though you'd probably run into the odd legitimate file that didn't convert, for whatever reason. Better that than the alternative though, I say. There are potential false-positives with virus scanners too, although I'd wager less. :Den -- Any father whose son raises his hand against him is guilty of having produced a son who raised his hand against him. Charles Peguy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:338903 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
