Matt Robertson wrote: > > CFFM only disallows extensions? It doesn't do MIME checking? As in > cffile's ACCEPT parameter?
Since the browser is really what determines the mime type, couldn't I configure my system to think that .cfm files were of type image/jpeg? Thus allowing me to upload .cfm files to the server? At the very least, you could hack around with perl to do a file upload with a faked mime type header.... At least with extension monitoring, if a .cfm file gets on the server, it gets the axe. Additionally, when unzipping files on the server or creating new files on the server (as CFFM allows users to do), there are no mime types. Oh, and I just released 0.98b which includes the allowedExtensions configuration option. So you can restrict uploads to just .gif, .png, jpg, etc.. - Rick ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Special thanks to the CF Community Suite Silver Sponsor - New Atlanta http://www.newatlanta.com Message: http://www.houseoffusion.com/lists.cfm/link=i:4:187271 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
