Hmmm I think you are contradicting the scenario here. > - The files are temporarily uploaded to another location and then validated
> With all of that, how serious is the threat of having the default upload > location be inside the web root? If the temp file is accessible before validation, a hacker can run the file that is how serious it is. But if you follow your first point, then it is mute. Regards, Andrew Scott http://www.andyscott.id.au/ > -----Original Message----- > From: Steve Bryant [mailto:[email protected]] > Sent: Wednesday, 5 January 2011 11:45 AM > To: cf-talk > Subject: Re: Beta Tester Wanted for new CF (MVC) Framework > > > Mark, > > I actually remember reading that blog post when it came out (I always love > your blog, by the way). To be honest, I don't remember if I am doing that > validation in place or not. Certainly this does demonstrate that it shouldn't be > done in place - and I will address that if it is. > > I am curious, however, about the following scenario: > > - The files are temporarily uploaded to another location and then validated > and then moved to their final destination. > - Server side checking on both mime-type AND extension > - A black list of file extensions is maintained for file fields that do not have a > white list of extensions (with docs advising that all files should). > - Read/Write access but no execute access for upload folders > - Application.cfm in the root of the uploaded folders > > With all of that, how serious is the threat of having the default upload > location be inside the web root? > > Keeping in mind that the goal is dead-simple set up and development > (though security, of course, cannot be ignored). > > Thanks, > > Steve > > >Steve, ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340452 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
