assuming you are using IIS, create a virtual directory on your web site.
Remove all the application mappings for that virtual directory and remove
execute permissions, even for scripts.
I can't think of a problem with this, but it's Sunday night here and I've
just returned from a few drinks down the local so I may not have considered
everything.
Mark
At 10:11 PM 22/04/2001, you wrote:
>I have an application which allows clients to upload various files which
>can later me accessed via the web. My concern is that if the uploaded file
>has a .cfm extension, when it is reviewed post upload, it could actually
>execute malicious code on the server. I guess the same would hole true with
>a .exe file (except that execute privileges are disabled).
>
>I need to allow a wide range of acceptable upload types, so I can't
>restrict it at the upload stage. What would be the best way to allow some
>one to access these files post upload while not posing a security threat?
>
>How would I enable a download of a .cfm file or a .js or whatever without
>having it execute on the server as opposed to promoting for a download?
>
>Brook Davies
>
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
