Here is a bit of JavaScript that I have used in a page to allow the
uploading of image files. This does client side validation of the
extensions...
function validater() {
var uploadfile = document.PhotoUpload.user_file.value;
var allowSubmit = false;
var extArray = new Array(".gif", ".jpg", ".png", ".jpeg",
".bmp", ".tiff", ".tif");
if(document.PhotoUpload.description.value == "") {
alert('Please enter a Description');
document.PhotoUpload.description.focus();
return false;
}
else if(document.PhotoUpload.user_file.value == "") {
alert('Please enter a file to upload');
document.PhotoUpload.user_file.focus();
return false;
}
if (!uploadfile) return false;
while (uploadfile.indexOf("\\") != -1)
uploadfile =
uploadfile.slice(uploadfile.indexOf("\\") + 1);
ext =
uploadfile.slice(uploadfile.indexOf(".")).toLowerCase();
for (var i = 0; i < extArray.length; i++) {
if (extArray[i] == ext) { allowSubmit =
true; break; }
}
if (allowSubmit) {
document.PhotoUpload.file_ext.value = ext;
document.PhotoUpload.submit();
}
else {
alert("Only the following extensions are
valid:\n "
+ (extArray.join(" ")) + "\nPlease select a
new "
+ "file to upload and submit again.");
return false;
}
alert("The upload process may take a few
moments.\n\n\rDo not click the browser back or stop button during this
time.");
}
John Woods
Managing Consultant
Buchanan Associates
http://www.buchanan.com
A Technology Company in the People Business.
-----Original Message-----
From: Palyne Gaenir [mailto:[EMAIL PROTECTED]]
Sent: Friday, July 27, 2001 8:35 PM
To: [EMAIL PROTECTED]
Subject: cffile - security issues
Hi List, would appreciate some experienced insight here.
I have an app that allows users to upload files. I would like to be
certain that they do not upload files capable of running malicious
code on my server, but leave the file types they are allowed to
upload, generally "open" otherwise. (1) Is there some kind of list
of file types to exclude that are considered 'dangerous'? and (2)
would allowing uploads of java .class files be dangerous?
(3) I have a list I compiled from a mime-types someone posted on this
list about a year ago, that seems wide enough to span commonly used
uploads. Does this seem like major overkill to try and stuff all
this into the "accept" field of a cffile tag?? as follows:
application/http, application/msword, application/pdf,
application/rtf, application/wordperfect5.1,
application/x-latex, application/xml, application/zip, image/bmp,
image/gif, image/png, image/tiff, image/tif,
image/jpeg, image/jpg, text/html, text/htm, text/asc, text/txt,
text/richtext, text/rtf, text/tab-separated-values,
video/mpeg, video/mpg, video/mpe, video/quicktime, video/qt,
video/mov
(4) A related question. I tried to use CFIF on an insert template,
to make sure users could not insert files with exe, com, bat, vb etc.
extensions. I said:
[cfif trim(right(form.resfile,6)) contains
('.bat','.exe','.com','.vb')] reject it and say why [/cfif]
And then I made simple text files with a few chars and named them
with extensions like .vb for example, and tried to upload -- and the
.bat just worked (it shouldn't have) and the .vb for example gets
caught by error-checking as the file field being blank, when it was
not, it's as if it's getting 'cleared' somehow on submit. Clearly my
logic is way off on this. Is there a better way to approach it??
Best regards,
Palyne
-------------------------------------------------------------------------
This email server is running an evaluation copy of the MailShield anti-
spam software. Please contact your email administrator if you have any
questions about this message. MailShield product info: www.mailshield.com
-----------------------------------------------
To post, send email to [EMAIL PROTECTED]
To subscribe / unsubscribe: http://www.dfwcfug.org
-------------------------------------------------------------------------
This email server is running an evaluation copy of the MailShield anti-
spam software. Please contact your email administrator if you have any
questions about this message. MailShield product info: www.mailshield.com
-----------------------------------------------
To post, send email to [EMAIL PROTECTED]
To subscribe / unsubscribe: http://www.dfwcfug.org
