Run all your files through something like this:
// Strip out Bad Tags
// Code adapted from Nathan Dintenfass' and Ben Archibald's CF_SafeText
Custom Tag
Message = TRIM(ThisTag.GeneratedContent);
if (Attributes.AllowHTML) { badtags
"SCRIPT|OBJECT|APPLET|EMBED|FORM|LAYER|ILAYER|FRAME|IFRAME|FRAMESET|PARAM|META|TABLE|TD|TH|TR|HEAD|BODY|FONT";
}
else { badtags
"SCRIPT|OBJECT|APPLET|EMBED|FORM|LAYER|ILAYER|FRAME|IFRAME|FRAMESET|PARAM|META|TABLE|TD|TH|TR|HEAD|BODY|FONT|A|IMG|B|U|I|OL|UL";
}
badevents
"onClick|onDblClick|onKeyDown|onKeyPress|onKeyUp|onMouseDown|onMouseOut|onMouseUp|onMouseOver|onBlur|onChange|onFocus|onSelect|javascript:";
StripperRE = "<[[:space:]]?/?[[:space:]]?(#badtags#|(CF)+)[^>]*>";
Message = REReplaceNoCase(Message, StripperRE, '', 'ALL');
Message = REReplaceNoCase(Message, (badevents), '', 'ALL');
Message = REReplace(Message, '(�|�)', "'", 'ALL');
> I have an application which allows clients to upload various files which
> can later me accessed via the web. My concern is that if the uploaded file
> has a .cfm extension, when it is reviewed post upload, it could actually
> execute malicious code on the server. I guess the same would hole true with
> a .exe file (except that execute privileges are disabled).
>
> I need to allow a wide range of acceptable upload types, so I can't
> restrict it at the upload stage. What would be the best way to allow some
> one to access these files post upload while not posing a security threat?
>
> How would I enable a download of a .cfm file or a .js or whatever without
> having it execute on the server as opposed to promoting for a download?
>
> Brook Davies
>
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
