Since file upload is part of the http protocol why is CFFILE considered such a security risk?
best, paul At 02:24 PM 1/30/03 +0000, you wrote: >Hi, > > > Follow-up yesterday's thread of trying to screen files before > > uploading with > > cffile: > >I didn't comment on this tread yesterday..so... > > > Just did some comparing of the MX behavior with CF5, to see if could glean > > any valuable info from initial form before uploading using cffile > > using CF5: > >File upload, is part of the http protocol, nothing to do with cf. Files are >uploaded as mime attachments. The only thing available to cf is the post >data, fields plus data, mime attachments, and anything else the browser >supplies (cookies, agent string etc. ) > > > If did a cfdump of the form (initial form with file to upload), in MX, > > regardless the type of file to be uploaded, it showed the form field value > > as > > that temporary file (.tmp) --nothing to suggest the actual extension, etc. > > (Will probably use a JavaScript routine as a partial check.) > >The file is nearly always (exception below) uploaded to a tmp file. Once you >call cffile the file is copied to the filename/location you supply. Maybe >renamed to the clientfile name which is supplied in the mime header. > > > In CF5, however, if the file to be uploaded was something like .jpg, .doc, > > it showed in dump as temporary files (.tmp). > > But for things like .txt or .htm, it showed the total rendered > > file in dump! > > Not the name--the actual processed page! > >This is because the mime type for both htm & txt is plain/text so the >browser can just upload it as a field. > >It takes an understanding of http, to know _WHY_ this is the way it is. >Web developers really need to read the RFC's !!!! > >There are ways and means of figuring out what size a file is _before_ is >uploaded. > >a) applet >b) activeX >c) java script in the newer browsers with the permissions set for JS to read >local files > >However none of these are reliable. > > > Gotta get some productive work accomplished. Could investigate > > this forever! > >Fun huh ?;-) > >WG > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
