As long as you are aware that while your code is doing the validation a hacker can still run the uploaded file.
Regards, Andrew Scott http://www.andyscott.id.au/ > -----Original Message----- > From: Steve Bryant [mailto:[email protected]] > Sent: Wednesday, 5 January 2011 10:06 AM > To: cf-talk > Subject: Re: Beta Tester Wanted for new CF (MVC) Framework > > > Andrew, > > Definitely a good point which is why I mentioned modifying the framework > to have black-listed file extensions that would have to be explicitly allowed > for a field. > > I do think, however, that I should have a note on the section about uploading > files that a list of allowed extensions should *always* be used. That, to me, is > the real point of vulnerability where I should have bug red letters say "Look > out!". > > As to Pete's link, I had read that one and I still believe that it is a warning > primarily about mime-type but I think it would make a great page to link to > from the documentation. > > Thanks, > > Steve > > >What about *.jsp files, or even aspx or asp files? > > > > > >Regards, > >Andrew Scott > >http://www.andyscott.id.au/ > > > > > > > >> Ian, > >> > >> Even if it was, Application.cfm > >> would run first and abort the process. > >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ~~~~~~~~~~~| > Order the Adobe Coldfusion Anthology now! > http://www.amazon.com/Adobe-Coldfusion- > Anthology/dp/1430272155/?tag=houseoffusion > Archive: http://www.houseoffusion.com/groups/cf- > talk/message.cfm/messageid:340443 > Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm > Unsubscribe: http://www.houseoffusion.com/groups/cf- > talk/unsubscribe.cfm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340444 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
