Don't give them direct access to an uploaded file... make them go
through a program you write which fetches the file and displays it.
HTH
Dick
At 2:11 PM -0700 4/22/01, Brook Davies wrote:
>I have an application which allows clients to upload various files which
>can later me accessed via the web. My concern is that if the uploaded file
>has a .cfm extension, when it is reviewed post upload, it could actually
>execute malicious code on the server. I guess the same would hole true with
>a .exe file (except that execute privileges are disabled).
>
>I need to allow a wide range of acceptable upload types, so I can't
>restrict it at the upload stage. What would be the best way to allow some
>one to access these files post upload while not posing a security threat?
>
>How would I enable a download of a .cfm file or a .js or whatever without
>having it execute on the server as opposed to promoting for a download?
>
>Brook Davies
>
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
