RE: Safety for image uploads
Russ, Ah... you are saying check the file extension on the server before performing any actions. My mistake :) Mark Kruger - CFG CF Webtools -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Monday, June 17, 2013 7:18 PM To: cf-talk Subject: RE: Safety for image uploads You shouldn't reply purely on js as with any form validation you should have server side as well but you can check the filename before performing any actions which means the file won't make it past the temp folder. Russ Michaels www.michaels.me.uk On 17 Jun 2013 21:38, Mark A. Kruger mkru...@cfwebtools.com wrote: Russ, Help me out here how would I check the file extension securely on the client side? It seems like any sort of js or other rigamarole could be quickly circumvented. What am I missing? -Mark Mark Kruger - CFG CF Webtools www.cfwebtools.com www.coldfusionmuse.com -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Monday, June 17, 2013 2:30 AM To: cf-talk Subject: Re: Safety for image uploads You simply check the extension on the filename, you can do this prior to upload, it doesn't require any special cf specific functionality, its just validating a filename. If you are allowing people to upload files and them change the extension then you would have a security problem. Russ Michaels www.michaels.me.uk On 17 Jun 2013 03:03, Dave Watts dwa...@figleaf.com wrote: if your only dealing with images and are stopping all other file types being uploaded then what is the issue with allowing them to be uploaded to the website ? I'm not sure what you mean by stopping all other file types being uploaded, but CF doesn't include functionality to validate that a file is what its extension says it is. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355960 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Safety for image uploads
Test... last email did not post... testing Robert Harrison Director of Interactive Services ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355962 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Safety for image uploads
One more time... Here's some code that may help... use it if you'd like: CLIENT SIDE JS cfset accepttypes = '.jpg','.gif' !--- one or more acceptable file extentions separated by commas in single quotes--- cfoutput script extArray = new Array(#accepttypes#); function LimitAttach(form, file) { allowSubmit = false; if (!file) return; while (file.indexOf(\\) != -1) file = file.slice(file.indexOf(\\) + 1); ext = file.slice(file.indexOf(.)).toLowerCase(); for (var i = 0; i extArray.length; i++) { if (extArray[i] == ext) { allowSubmit = true; break; } } if (allowSubmit) { form.submit(); document.body.style.cursor=wait; } else alert(Please only upload files that end in types: + (extArray.join( )) + \nPlease select the + correct file type.); } /script cfoutput form action=img_upload2.cfm enctype=multipart/form-data method=post Select the image file to upload: input type=file name=file size=60 input type=button name=Upload value=Upload onclick=LimitAttach(this.form, this.form.file.value); /form SERVER SIDE: cftry cffile action=upload filefield=file destination=your_path nameconflict=makeunique accept = MIME type (for Mime types, see http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=Tags_f_10.html) cfcatchOutput error message the mime type was not acceptedcfabort/cfcatch/cftry cfset filetype=ListLast(serverfile,.) cfif filetype is jpg or filetype is gif !--- list your types here --- Accept the file and do action cfelse Reject file for wrong extension, output error message, delete it, abort /cfif I think this should cover you. Hope this helps. Robert Robert Harrison Director of Interactive Services ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355963 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Safety for image uploads
You simply check the extension on the filename, you can do this prior to upload, it doesn't require any special cf specific functionality, its just validating a filename. If you are allowing people to upload files and them change the extension then you would have a security problem. Russ Michaels www.michaels.me.uk On 17 Jun 2013 03:03, Dave Watts dwa...@figleaf.com wrote: if your only dealing with images and are stopping all other file types being uploaded then what is the issue with allowing them to be uploaded to the website ? I'm not sure what you mean by stopping all other file types being uploaded, but CF doesn't include functionality to validate that a file is what its extension says it is. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355956 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Safety for image uploads
I would rather keep files out of the web root entirely than risk having an executable make it 'under the wire' so to speak. If I allow that, then some other non-CF hack I haven't been savvy or prompt enough to patch - or which is still unpatched - could let an attacker rename that file and poof... An accessible executable exists whose arrival I helped facilitate. Just last week I found some smartypants trolling my sites looking for fckeditor's upload test page; assumedly to see if I left one of its protocols enabled. On Mon, Jun 17, 2013 at 12:29 AM, Russ Michaels r...@michaels.me.uk wrote: You simply check the extension on the filename, you can do this prior to upload, it doesn't require any special cf specific functionality, its just validating a filename. If you are allowing people to upload files and them change the extension then you would have a security problem. Russ Michaels www.michaels.me.uk On 17 Jun 2013 03:03, Dave Watts dwa...@figleaf.com wrote: if your only dealing with images and are stopping all other file types being uploaded then what is the issue with allowing them to be uploaded to the website ? I'm not sure what you mean by stopping all other file types being uploaded, but CF doesn't include functionality to validate that a file is what its extension says it is. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355957 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Safety for image uploads
Russ, Help me out here how would I check the file extension securely on the client side? It seems like any sort of js or other rigamarole could be quickly circumvented. What am I missing? -Mark Mark Kruger - CFG CF Webtools www.cfwebtools.com www.coldfusionmuse.com -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Monday, June 17, 2013 2:30 AM To: cf-talk Subject: Re: Safety for image uploads You simply check the extension on the filename, you can do this prior to upload, it doesn't require any special cf specific functionality, its just validating a filename. If you are allowing people to upload files and them change the extension then you would have a security problem. Russ Michaels www.michaels.me.uk On 17 Jun 2013 03:03, Dave Watts dwa...@figleaf.com wrote: if your only dealing with images and are stopping all other file types being uploaded then what is the issue with allowing them to be uploaded to the website ? I'm not sure what you mean by stopping all other file types being uploaded, but CF doesn't include functionality to validate that a file is what its extension says it is. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355958 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Safety for image uploads
You shouldn't reply purely on js as with any form validation you should have server side as well but you can check the filename before performing any actions which means the file won't make it past the temp folder. Russ Michaels www.michaels.me.uk On 17 Jun 2013 21:38, Mark A. Kruger mkru...@cfwebtools.com wrote: Russ, Help me out here how would I check the file extension securely on the client side? It seems like any sort of js or other rigamarole could be quickly circumvented. What am I missing? -Mark Mark Kruger - CFG CF Webtools www.cfwebtools.com www.coldfusionmuse.com -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Monday, June 17, 2013 2:30 AM To: cf-talk Subject: Re: Safety for image uploads You simply check the extension on the filename, you can do this prior to upload, it doesn't require any special cf specific functionality, its just validating a filename. If you are allowing people to upload files and them change the extension then you would have a security problem. Russ Michaels www.michaels.me.uk On 17 Jun 2013 03:03, Dave Watts dwa...@figleaf.com wrote: if your only dealing with images and are stopping all other file types being uploaded then what is the issue with allowing them to be uploaded to the website ? I'm not sure what you mean by stopping all other file types being uploaded, but CF doesn't include functionality to validate that a file is what its extension says it is. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355959 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Safety for image uploads
I think this got bounced, so I'll try again. On Sat, Jun 15, 2013 at 1:41 PM, Dave Watts dwa...@figleaf.com wrote: Would you consider the CF temp directory to be safe? I think it would be safe as long as there's only a single web application being run by CF. Otherwise, I'd have to think about it more carefully - I suppose there might be a possibility that someone could use the temp directory to get something from one application into another, although the conditions for doing so would presumably be quite specific. Some hosting companies have the webroot folder one below the top of the client's user space so an upload folder can be created alongside the webroot folder but if that cannot be done then the folder has to be elsewhere... If the hosting company doesn't provide a place to store things that you don't want mapped to the web server, I would want to switch to a different host. -- Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355944 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Safety for image uploads
if your only dealing with images and are stopping all other file types being uploaded then what is the issue with allowing them to be uploaded to the website ? the only scenario where I can think of this being an issue is if someone renamed a CFM file to .JPG, uploaded it and then renamed it back to .cfm so they could run it. But unless they have some other form of access then they wouldn't be able to rename the file. On Sun, Jun 16, 2013 at 3:37 PM, Dave Watts dwa...@figleaf.com wrote: I think this got bounced, so I'll try again. On Sat, Jun 15, 2013 at 1:41 PM, Dave Watts dwa...@figleaf.com wrote: Would you consider the CF temp directory to be safe? I think it would be safe as long as there's only a single web application being run by CF. Otherwise, I'd have to think about it more carefully - I suppose there might be a possibility that someone could use the temp directory to get something from one application into another, although the conditions for doing so would presumably be quite specific. Some hosting companies have the webroot folder one below the top of the client's user space so an upload folder can be created alongside the webroot folder but if that cannot be done then the folder has to be elsewhere... If the hosting company doesn't provide a place to store things that you don't want mapped to the web server, I would want to switch to a different host. -- Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355945 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Safety for image uploads
On Sun, Jun 16, 2013 at 9:45 AM, Russ Michaels r...@michaels.me.uk wrote: if your only dealing with images and are stopping all other file types being uploaded then what is the issue with allowing them to be uploaded to the website ? Check out what happened to me. http://www.raymondcamden.com/index.cfm/2009/9/21/How-Galleon-was-Hacked I thought I was secure since I was - literally - in the next line of CFML checking the extensions and deleting - but someone was able to abuse this via a script. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355946 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Safety for image uploads
ok but that issue would only occur if you DO NOT check the file extension before uploading it to the server, which is what you were doing, you were uploading it and then validating it afterwards. obviously I would not suggest anyone does that, you should definitely check the file extension before you upload anything to the server and not accept any type of file which can be executed. On Sun, Jun 16, 2013 at 4:21 PM, Raymond Camden raymondcam...@gmail.comwrote: On Sun, Jun 16, 2013 at 9:45 AM, Russ Michaels r...@michaels.me.uk wrote: if your only dealing with images and are stopping all other file types being uploaded then what is the issue with allowing them to be uploaded to the website ? Check out what happened to me. http://www.raymondcamden.com/index.cfm/2009/9/21/How-Galleon-was-Hacked I thought I was secure since I was - literally - in the next line of CFML checking the extensions and deleting - but someone was able to abuse this via a script. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355947 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Safety for image uploads
Was just sharing it as an example. I was *convinced* this was secure since it was an immediate check. I couldn't check it in cffile cuz I needed to support multiple different extensions. On Sun, Jun 16, 2013 at 10:34 AM, Russ Michaels r...@michaels.me.uk wrote: ok but that issue would only occur if you DO NOT check the file extension before uploading it to the server, which is what you were doing, you were uploading it and then validating it afterwards. obviously I would not suggest anyone does that, you should definitely check the file extension before you upload anything to the server and not accept any type of file which can be executed. On Sun, Jun 16, 2013 at 4:21 PM, Raymond Camden raymondcam...@gmail.com wrote: On Sun, Jun 16, 2013 at 9:45 AM, Russ Michaels r...@michaels.me.uk ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355948 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Safety for image uploads
ok well in the case that anyone does have code which works in this way but does not have a non web accessible folder to upload to because their host does not give you this, then the other option would be to create an UPLOADS folder and secure this folder with .htaccess or whatever method your host provides so that files in this folder cannot be executed. you then move the file from this folder after upload and validation. On Sun, Jun 16, 2013 at 4:36 PM, Raymond Camden raymondcam...@gmail.comwrote: Was just sharing it as an example. I was *convinced* this was secure since it was an immediate check. I couldn't check it in cffile cuz I needed to support multiple different extensions. On Sun, Jun 16, 2013 at 10:34 AM, Russ Michaels r...@michaels.me.uk wrote: ok but that issue would only occur if you DO NOT check the file extension before uploading it to the server, which is what you were doing, you were uploading it and then validating it afterwards. obviously I would not suggest anyone does that, you should definitely check the file extension before you upload anything to the server and not accept any type of file which can be executed. On Sun, Jun 16, 2013 at 4:21 PM, Raymond Camden raymondcam...@gmail.com wrote: On Sun, Jun 16, 2013 at 9:45 AM, Russ Michaels r...@michaels.me.uk ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355949 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Safety for image uploads
You must upload the file to a directory that is not web-accessible and cannot execute code. Dave Watts, CTO, Fig Leaf Software Thank you Dave and the others. Now lets say the root is c:\inetpub\wwwroot\domainname and I use cffile to upload the jpg only file to c:\uploads use my cfimage to resize it, convert it to a png and save it to: c:\inetpub\wwwroot\domainname\slideshow\, then add the image to my cf code that runs the slideshow. Do you see any thing I have missed? Terry ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355950 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Safety for image uploads
If you upload the file to something out of web root then you should be safe. Never upload to webroot. Ever. Thank you Raymond and the others. Now lets say the root is c:\inetpub\wwwroot\domainname and I use cffile to upload the jpg only file to c:\uploads use my cfimage to resize it, convert it to a png and save it to: c:\inetpub\wwwroot\domainname\slideshow\, then add the image to my cf code that runs the slideshow. Do you see any thing I have missed? Terry ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355951 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Safety for image uploads
You are describing the proper way to do it terry. Just keep in mind that before anything happens that writes a file to c:\uploads the file is first collected and stored in the CF temp directory. CF is gathering the HTTP post data together there and will assemble (write your binary file) to the uploads directory after the whole file comes in. So even though you are storying in A then moving to B - you are actually storing in A, moving to B, then moving to C :) Here's a post about a clever hack using file upload that exploits the upload of files to the web root. http://www.coldfusionmuse.com/index.cfm/2009/9/18/script.insertion.attack.ve ctor Mark Kruger - CFG CF Webtools www.cfwebtools.com www.coldfusionmuse.com O: 402.932.3318 E: mkru...@cfwebtools.com Skype: markakruger -Original Message- From: te...@it-werks.com te...@it-werks.com [mailto:te...@it-werks.com] Sent: Sunday, June 16, 2013 6:30 PM To: cf-talk Subject: Re: Safety for image uploads If you upload the file to something out of web root then you should be safe. Never upload to webroot. Ever. Thank you Raymond and the others. Now lets say the root is c:\inetpub\wwwroot\domainname and I use cffile to upload the jpg only file to c:\uploads use my cfimage to resize it, convert it to a png and save it to: c:\inetpub\wwwroot\domainname\slideshow\, then add the image to my cf code that runs the slideshow. Do you see any thing I have missed? Terry ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355952 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Safety for image uploads
This got bounced for some reason, so I'll try again: Would you consider the CF temp directory to be safe? I think it would be safe as long as there's only a single web application being run by CF. Otherwise, I'd have to think about it more carefully - I suppose there might be a possibility that someone could use the temp directory to get something from one application into another, although the conditions for doing so would presumably be quite specific. Some hosting companies have the webroot folder one below the top of the client's user space so an upload folder can be created alongside the webroot folder but if that cannot be done then the folder has to be elsewhere... If the hosting company doesn't provide a place to store things that you don't want mapped to the web server, I would want to switch to a different host. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355953 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Safety for image uploads
if your only dealing with images and are stopping all other file types being uploaded then what is the issue with allowing them to be uploaded to the website ? I'm not sure what you mean by stopping all other file types being uploaded, but CF doesn't include functionality to validate that a file is what its extension says it is. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355954 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Safety for image uploads
Now lets say the root is c:\inetpub\wwwroot\domainname and I use cffile to upload the jpg only file to c:\uploads use my cfimage to resize it, convert it to a png and save it to: c:\inetpub\wwwroot\domainname\slideshow\, then add the image to my cf code that runs the slideshow. Do you see any thing I have missed? No, that seems safe enough for me. The success of the CFIMAGE operation would validate that you actually had an image, and the output of that operation is what would be moved to your web-accessible directory. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355955 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Safety for image uploads
Question: If I have a browse for a user to try an upload of a JPG only file and use CFIMAGE to resize and then convert it to a PNG so I can add it to a demo slide show for the user to preview, have I eliminated any possible safety issues? Terry ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355937 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Safety for image uploads
If you upload the file to something out of web root then you should be safe. Never upload to webroot. Ever. On Fri, Jun 14, 2013 at 10:59 AM, Terry Troxel terry.tro...@gmail.comwrote: Question: If I have a browse for a user to try an upload of a JPG only file and use CFIMAGE to resize and then convert it to a PNG so I can add it to a demo slide show for the user to preview, have I eliminated any possible safety issues? Terry ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355940 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Safety for image uploads
Question: If I have a browse for a user to try an upload of a JPG only file and use CFIMAGE to resize and then convert it to a PNG so I can add it to a demo slide show for the user to preview, have I eliminated any possible safety issues? You must upload the file to a directory that is not web-accessible and cannot execute code. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355941 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Safety for image uploads
On 15/06/2013 2:49 AM, Dave Watts wrote: You must upload the file to a directory that is not web-accessible and cannot execute code. Would you consider the CF temp directory to be safe? Some hosting companies have the webroot folder one below the top of the client's user space so an upload folder can be created alongside the webroot folder but if that cannot be done then the folder has to be elsewhere... -- Yours, Kym Kovan mbcomms.net.au ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355943 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm