Steve, I'd say you've protected against conceivable threats with that approach - but I still always store files outside the web root. My problem is that my conceiver isn't always that great and ornery hackers have better conceivers than I do. Can I ask what you are trying to save with this approach? What's the point of doing it this way as opposed to outside of the web root?
-Mark P.S. Thanks for the comments about my blog - always nice to hear! -----Original Message----- From: Steve Bryant [mailto:st...@bryantwebconsulting.com] Sent: Tuesday, January 04, 2011 6:45 PM To: cf-talk Subject: Re: Beta Tester Wanted for new CF (MVC) Framework Mark, I actually remember reading that blog post when it came out (I always love your blog, by the way). To be honest, I don't remember if I am doing that validation in place or not. Certainly this does demonstrate that it shouldn't be done in place - and I will address that if it is. I am curious, however, about the following scenario: - The files are temporarily uploaded to another location and then validated and then moved to their final destination. - Server side checking on both mime-type AND extension - A black list of file extensions is maintained for file fields that do not have a white list of extensions (with docs advising that all files should). - Read/Write access but no execute access for upload folders - Application.cfm in the root of the uploaded folders With all of that, how serious is the threat of having the default upload location be inside the web root? Keeping in mind that the goal is dead-simple set up and development (though security, of course, cannot be ignored). Thanks, Steve >Steve, > >This is one off, but this post explains how you can exploit the latency >between storing the file and handling or deleting it IF you store your temp >file in a web root accessible folder: > >http://www.coldfusionmuse.com/index.cfm/2009/9/18/script.insertion.attack.v ector > >-Mark ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340453 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
