Thanks for the advice, Dave...and what does this mean in practice? "you don't want to allow files to be placed where they could be potentially executed."
Rick -----Original Message----- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 25, 2006 10:48 AM To: CF-Talk Subject: RE: Mime Type for File Upload > > if someone wants to upload an .exe file all they have to do > > is give it a .pdf extension. Plan your security for that as > > best you can. > > What type of security can prevent that? What can truly > determine what type of file a file is except by extension? Well, the extension isn't what gives the ability to do one thing or another, it's the actual contents of the file. The extension is just a convenience used by Windows to determine the file type without having to actually read and interpret the contents of the file. Other operating systems don't use extensions, they use other file metadata (resource forks, etc) to figure this out. There are third-party libraries that can determine what type a file is, by examining the file itself. However, you should simply assume that all files, under the right conditions, could be executable. So, you don't want to allow files to be placed where they could be potentially executed. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:258009 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
