Yes... something sadly lacking is an easy way to examine an http request for size in advance.
-Mark -----Original Message----- From: Loathe [mailto:[EMAIL PROTECTED] Sent: Thursday, July 21, 2005 8:37 PM To: CF-Talk Subject: RE: Upload security? True. At least it will be wiped out once uploaded though. To bad JS doesn't give us more access to a form field on the original page. Tim -----Original Message----- From: Mark A Kruger [mailto:[EMAIL PROTECTED] Sent: Thursday, July 21, 2005 9:28 PM To: CF-Talk Subject: RE: Upload security? Yes - but the request has to end before you can check that var. And the request doesn't end until the last byte is uploaded. At that point you are free to check the file size (using a number of methods), but that doesn't prevent users from tying up server and bandwidth resources with large files. -mk -----Original Message----- From: Loathe [mailto:[EMAIL PROTECTED] Sent: Thursday, July 21, 2005 8:26 PM To: CF-Talk Subject: RE: Upload security? nah, We check the cgi.content_length to ensure it's less than 5 megs before doing anything else. -----Original Message----- From: Jennifer Larkin [mailto:[EMAIL PROTECTED] Sent: Thursday, July 21, 2005 8:39 PM To: CF-Talk Subject: Re: Upload security? The main problem with this is that people can nail your server by uploading huge files that you have to upload before you can ttest to see if you can delete them. I've seen people complain that their 20M ......xls file isn't uploading as though I should support them doing such a thing. Good luck! On 7/21/05, Matt Robertson <[EMAIL PROTECTED]> wrote: > In addition to what Deanna said, why not specify the file types you > will allow using CFFILE's ACCEPT parameter? The two for Excel are > application/vnd.ms-excel and application/msexcel. > > However CFFILE determines MIME type via the file extension, which > isn't exactly hackproof. If you allow file renaming after upload some > clown can upload any file type as an allowed file type, then rename it > as part of some nefarious scheme. No idea how to fix that... > > -- > --mattRobertson-- > Janitor, MSB Web Systems > mysecretbase.com > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:212484 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
