>From a security perspective you don't want to skip the file extension test(s) - that is critical. Also make sure you upload to a directory outside of the webroot, then perform your validation. Only move it under the webroot if you are sure it is a valid image and has an approved file extension. Finally use your web server and/or CF sandbox security to prevent execution on the image upload folder.
I also wrote a blog entry a while with some tips for secure file uploads: http://www.petefreitag.com/item/701.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Tue, Dec 18, 2012 at 10:35 PM, Dan Baughman <dan.baugh...@gmail.com>wrote: > > skip all the nonsense and just try to resize the image. > > If that fails its either a color pallete java can't handle or it > isn't an image. > > - Dan > > On Tue, Dec 18, 2012 at 8:12 PM, Terry Troxel <terry.tro...@gmail.com> > wrote: > > > > I am looking for a safe and secure way to put an example page on my site > > that will allow a potential client to upload a JPG in order to see an > > example of a responsive photo gallery he can create using my new > responsive > > web template I am in the process of building. > > Here is what I am considering in the upload process: > > 1...JPG extension only > > 2...file size limit > > 3...remove exif data if it exists > > 4...Convert file to PNG and save after doing the resizing, etc. that I > need > > to. > > > > I would like some opinions, suggestions, etc. to tell me if I am missing > > something or there is any other avenues I can persue to accomplish my > goal > > to stop anyone from using this to hack my site. > > > > Terry > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353553 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
