> I thought perhaps there was a way to auto-fill with a > cfdirectory-generated list and corresponding fields for > each file that would be pre-filled, then all the user would
First, CFDIRECTORY only has access to the files and directories on the server, not the client, so you wouldn't be able to "list" the user's folders and pre-populate the fields anyway. > At this point, I don't see how pre-filling the fields with values > that the user is placing there is a security risk. I'm sure in some > way that I'm not familiar with the function could be abused. Ok, imaging that there is a widely used accounting program that stores its data file in the same location on every install. Now, imagine a malicious web author sending spam for free Paris Hilton pictures. The unsuspecting user visits the page, but it's asking for their age before it will let them through. No problem! Here's my age, click submit, and WHAM, they now have your accounting database. How? Because they put a file upload field with the path to your database pre-populated. Maybe the field was hidden, covered with an image, or re-positioned off screen so the user didn't see it. Whatever the case, the browser won't let you do that to prevent this scenario. > It just seems like with some limitations placed on a "group file upload", > such as no hidden fields allowed, etc, that the function could be > brought into use without security risks. The name of the file (which > is often obscured in the filefields without working to view the filename) > could be placed above the filefields when they are generated to assure > the user of what's being uploaded. That's one of the faulty assumptions; that user's check for these sorts of things before they click submit. How many years did it take to train people to look for the lock icon when making a purchase? The browser vendors had to start changing the color of the address bar to get people to notice! > There are javascript solutions for this, so why can't CF have one > that doesn't pose a security risk, if the javascript solutions don't? I think the JS method someone mentioned exploited a bug in IE to get around that, and said bug has since been patched so even that won't work anymore. -Justin Scott ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311744 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
