Russ, Ah... you are saying check the file extension on the server before performing any actions. My mistake :)
Mark Kruger - CFG CF Webtools -----Original Message----- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Monday, June 17, 2013 7:18 PM To: cf-talk Subject: RE: Safety for image uploads You shouldn't reply purely on js as with any form validation you should have server side as well but you can check the filename before performing any actions which means the file won't make it past the temp folder. Russ Michaels www.michaels.me.uk On 17 Jun 2013 21:38, "Mark A. Kruger" <mkru...@cfwebtools.com> wrote: > > Russ, > > Help me out here.... how would I check the file extension securely on the > client side? It seems like any sort of js or other rigamarole could be > quickly circumvented. What am I missing? > > -Mark > > Mark Kruger - CFG > CF Webtools > www.cfwebtools.com > www.coldfusionmuse.com > > > -----Original Message----- > From: Russ Michaels [mailto:r...@michaels.me.uk] > Sent: Monday, June 17, 2013 2:30 AM > To: cf-talk > Subject: Re: Safety for image uploads > > > You simply check the extension on the filename, you can do this prior to > upload, it doesn't require any special cf specific functionality, its just > validating a filename. > If you are allowing people to upload files and them change the extension > then you would have a security problem. > > Russ Michaels > www.michaels.me.uk > On 17 Jun 2013 03:03, "Dave Watts" <dwa...@figleaf.com> wrote: > > > > > > if your only dealing with images and are stopping all other file types > > > being uploaded then what is the issue with allowing them to be uploaded > > to > > > the website ? > > > > I'm not sure what you mean by "stopping all other file types being > > uploaded", but CF doesn't include functionality to validate that a > > file is what its extension says it is. > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > http://training.figleaf.com/ > > > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > > GSA Schedule, and provides the highest caliber vendor-authorized > > instruction at our training centers, online, or onsite. > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355960 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
