ColdFusion CFFILE to limit text file upload -


i'm want use cffile upload detect .txt file. i've tried use file.clientfileext detect extension. when txt detected, i'm showing pop error message users , delete file. told should not allow user's file reach our server.

then use cffile accept attribute accept text/plain. should unfortunately on test when tried uploading non text file got coldfusion error:

the mime type of uploaded file application/pdf not accepted server. files of type text/plain can uploaded. verify uploading file of appropriate type.

i tried use cftry , cfcatch still same error, due mime type don't know when file being uploaded browser. found same question in forum , tried suggested answer, did not work, still got same error message (see below)

i found posting in forum not suggest use of cf "accept" attribute. link provided further detail explanation: http://www.petefreitag.com/item/701.cfm

so question is, since i'm still using cf8, don't have many options prevent users uploading other .txt file securely? if can't use accept attribute of cffile, can @ least secure file upload functionality doing following? doing way safe enough?

  1. upload file temp folder not under root dir
  2. verify file extension
  3. change file name if extension detected .txt
  4. move file destination file under root dir

even if these steps, have allowed file reach our server, order not allow file reach our server.

below answer/suggestion previous question. doesn't work when tested it:

    <cftry>                          <cflock name="write_lock" type="exclusive" timeout="120">      <cffile action="upload" filefield="filepath" destination="#destdir#"                nameconflict="overwrite" attributes="archive">             </cflock>      <cfcatch>           <cfif findnocase("not accepted", cfcatch.message)>             <script>                $(function(){                 alert("only following file types allowed: .jpg, .gif, .bmp,                  .png.");             });         </script>         <cfabort />      <cfelse>         <!--- looks non-mime error, handle separately --->         <cfdump var="#cfcatch#" abort />      </cfif>     </cfcatch>      </cftry>

i think steps reasonable if don't using accept attribute validation. fyi can set accept .txt instead of mime types. mime type determined client it's safer check extension anyway.

the exception thrown cffile failing attribute validation may not have type, code posted tried detect findnocase() looking @ exception's message. can dump exception out , find out why findnocase() failed catch exception.

make sure treat whatever uploaded potentially malicious , not process them (e.g. cfinclude them). forcing file extension .txt should safe enough, i'll let other security experts charm in.


Comments

Post a Comment

Popular posts from this blog

android - Get AccessToken using signpost OAuth without opening a browser (Two legged Oauth) -

i using signpost oauth access data magento server. have read various tutorials on same , reach point open browser user can enter credentials. however, per requirement have automate part. hence, user should not browser page. have set-up done on server side ( magento ), hit url , returned call page. same through program in android. i have tried below, consumer = new commonshttpoauthconsumer(key, secret); provider = new commonshttpoauthprovider(oauth_init_url,access_token_url, authorize_url); try { provider.retrieverequesttoken(consumer, oauth.out_of_band); log.d("tokens" , consumer.gettoken() + " -- " + consumer.gettokensecret()); } and request tokens. dont know how bypass next step. tried directly accessing accesstoken (stupid of me) provider.retrieveaccesstoken(consumer, "mycallback://callback"); no luck, ends in oauth.signpost.exception.oauthnotauthorizedexception: authorization failed (server replied 401). ...
Read more

org.mockito.exceptions.misusing.InvalidUseOfMatchersException: mockito -

getting error org.mockito.exceptions.misusing.invaliduseofmatchersexception: invalid use of argument matchers! 1 matchers expected, 2 recorded. exception may occur if matchers combined raw values: //incorrect: somemethod(anyobject(), "raw string"); when using matchers, arguments have provided matchers. example: //correct: somemethod(anyobject(), eq("string matcher")); at when( getprogramservice .callservice(any(getprogramtype.class))) .thenreturn(jaxbresponse); please explain error , possible resolution the code posted looks fine; don't see problem it. code before or above causing exception. key here: invalid use of argument matchers! 1 matchers expected, 2 recorded. any , used above, doesn't return "special kind of null" or "special kind of getprogramtype"; don't exist. instead, returns null , side effect puts matcher on stack. whe...
Read more

google shop client API returns 400 bad request error while adding an item -

i'm working on solution add items in google shopping market java application. following tutorial real mess because of missing classes of laste release, after setting 1.5-beta maven managed make base example typecheck correctly classes. still can make simple task of adding 1 item. instead of posting whole code i'm posting part creates product feed. private product createproduct(string id) { product product = new product(); product.title = "red wool sweater"; product.content = new content( "text", "comfortable , soft, sweater keep warm on " + "cold winter nights. red , blue stripes."); product.appcontrol = new appcontrol(); product.appcontrol.addrequireddestination("productads"); product.externalid = id; product.lang = "it"; product.country = "it"; product.condition = "nuovo"; product.price = new price("eu...
Read more