> > if someone wants to upload an .exe file all they have to do > > is give it a .pdf extension. Plan your security for that as > > best you can. > > What type of security can prevent that? What can truly > determine what type of file a file is except by extension?
Well, the extension isn't what gives the ability to do one thing or another, it's the actual contents of the file. The extension is just a convenience used by Windows to determine the file type without having to actually read and interpret the contents of the file. Other operating systems don't use extensions, they use other file metadata (resource forks, etc) to figure this out. There are third-party libraries that can determine what type a file is, by examining the file itself. However, you should simply assume that all files, under the right conditions, could be executable. So, you don't want to allow files to be placed where they could be potentially executed. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore and Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:257999 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
