Andrew, Definitely a good point which is why I mentioned modifying the framework to have black-listed file extensions that would have to be explicitly allowed for a field.
I do think, however, that I should have a note on the section about uploading files that a list of allowed extensions should *always* be used. That, to me, is the real point of vulnerability where I should have bug red letters say "Look out!". As to Pete's link, I had read that one and I still believe that it is a warning primarily about mime-type but I think it would make a great page to link to from the documentation. Thanks, Steve >What about *.jsp files, or even aspx or asp files? > > >Regards, >Andrew Scott >http://www.andyscott.id.au/ > > > >> Ian, >> >> Even if it was, Application.cfm >> would run first and abort the process. >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340443 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
