I would rather keep files out of the web root entirely than risk having an executable make it 'under the wire' so to speak. If I allow that, then some other non-CF hack I haven't been savvy or prompt enough to patch - or which is still unpatched - could let an attacker rename that file and poof... An accessible executable exists whose arrival I helped facilitate.
Just last week I found some smartypants trolling my sites looking for fckeditor's upload test page; assumedly to see if I left one of its protocols enabled. On Mon, Jun 17, 2013 at 12:29 AM, Russ Michaels <[email protected]> wrote: > > You simply check the extension on the filename, you can do this prior to > upload, it doesn't require any special cf specific functionality, its just > validating a filename. > If you are allowing people to upload files and them change the extension > then you would have a security problem. > > Russ Michaels > www.michaels.me.uk > On 17 Jun 2013 03:03, "Dave Watts" <[email protected]> wrote: > > > > > > if your only dealing with images and are stopping all other file types > > > being uploaded then what is the issue with allowing them to be uploaded > > to > > > the website ? > > > > I'm not sure what you mean by "stopping all other file types being > > uploaded", but CF doesn't include functionality to validate that a > > file is what its extension says it is. > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > http://training.figleaf.com/ > > > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > > GSA Schedule, and provides the highest caliber vendor-authorized > > instruction at our training centers, online, or onsite. > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355957 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
