RE: cfcontent and default file name

Mon, 27 Aug 2001 12:02:01 -0700 

Be very carefull if you use a hidden field to name the file you are allowing
the user to download.  I could download your index.cfm your nt password file
ect.  Any access db that I can manage to find.  Download all the code on
your server to find bigger holes in it.  I recomend storing the name of the
file in a sesion variable or in a database and pass the db_id with standard
checks to see that the users is only getting his database entry.

No flame intended just being security minded.  I have seen to many possible
security holes with CFfile and cfcontent.  

-----Original Message-----
From: Chris Shelton [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 27, 2001 3:19 PM
To: Fusebox
Subject: RE: cfcontent and default file name


in your display file (where you click to download the file) 
1.create a form tag
2.use the following format in the action param of the form tag:
        action="action_page.cfm/name_of_file_u_want_with_file_extension"
        
3.use input type="hidden" in your form to set your fuseaction to the
case  
        where you use the cfcontent tag 

example:
<cfform action="#cgi.script_name#/myfile.txt" method="post">
        <input type="Hidden" name="fuseaction" value="dowload">
        <input type="Hidden" name="filename" value="#nameofyoufile#">
        <input type="submit" name="download" value="Download">
</cfform>



-----Original Message-----

From: Balasekaran Murugesan [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 27, 2001 2:22 PM
To: Fusebox
Subject: cfcontent and default file name


Hi All,

I am using cfcontent to download to a file. The file name defaults to
index.cfm. Is there a way I am change the default name index.cfm to
something else. I am using fusebox methodology.

Thanks in advance.
Bala.

Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Reply via email to