becuase you can do this <cffile action=read file="ntuser.dat" >
WG > -----Original Message----- > From: paul smith [mailto:[EMAIL PROTECTED]] > Sent: 30 January 2003 15:13 > To: CF-Talk > Subject: RE: Screening files before CFFile upload: Follow-up > > > Since file upload is part of the http protocol why is CFFILE considered > such a security risk? > > best, paul > > At 02:24 PM 1/30/03 +0000, you wrote: > >Hi, > > > > > Follow-up yesterday's thread of trying to screen files before > > > uploading with > > > cffile: > > > >I didn't comment on this tread yesterday..so... > > > > > Just did some comparing of the MX behavior with CF5, to see > if could glean > > > any valuable info from initial form before uploading using cffile > > > using CF5: > > > >File upload, is part of the http protocol, nothing to do with > cf. Files are > >uploaded as mime attachments. The only thing available to cf is the post > >data, fields plus data, mime attachments, and anything else the browser > >supplies (cookies, agent string etc. ) > > > > > If did a cfdump of the form (initial form with file to upload), in MX, > > > regardless the type of file to be uploaded, it showed the > form field value > > > as > > > that temporary file (.tmp) --nothing to suggest the actual > extension, etc. > > > (Will probably use a JavaScript routine as a partial check.) > > > >The file is nearly always (exception below) uploaded to a tmp > file. Once you > >call cffile the file is copied to the filename/location you supply. Maybe > >renamed to the clientfile name which is supplied in the mime header. > > > > > In CF5, however, if the file to be uploaded was something > like .jpg, .doc, > > > it showed in dump as temporary files (.tmp). > > > But for things like .txt or .htm, it showed the total rendered > > > file in dump! > > > Not the name--the actual processed page! > > > >This is because the mime type for both htm & txt is plain/text so the > >browser can just upload it as a field. > > > >It takes an understanding of http, to know _WHY_ this is the way it is. > >Web developers really need to read the RFC's !!!! > > > >There are ways and means of figuring out what size a file is _before_ is > >uploaded. > > > >a) applet > >b) activeX > >c) java script in the newer browsers with the permissions set > for JS to read > >local files > > > >However none of these are reliable. > > > > > Gotta get some productive work accomplished. Could investigate > > > this forever! > > > >Fun huh ?;-) > > > >WG > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
