On 4/19/2010 10:33 AM, Rick Faircloth wrote: > If appropriate formats are specified in the cffile "accept" parameter, what > risk is there? Some kind of file that "fakes" its format or has malicious > code embedded in it? >
Yes, that can happen. > And concerning your second concern below, I've always assumed that using the > "accept" parameter was enough to verify file format and prevent malicious > code from being uploaded in a file. What other tests are there that can be > run > to verify images? > No, accept simple looks at the file name. I can name my CFML hacking file myImage.jpg and it will pass an accept test just fine. It is not quite as simple as that to get an code file to fake being an image file. But if find that I sleep much easier, if I do *not* underestimate the resourcefulness of hackers. The isImage() function should help, since it actually looks at the file binary data not just the file name. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:332990 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm