"Jon Hall" <[EMAIL PROTECTED]> wrote in message news:022101c15d9b$237615e0
> Wow, after staring at the code scratching my head for a few minutes I
> finally think I get the concept of what you are doing.
> Basically this is taking the filename and loading the image via a
file://url
> from the local filesystem into a frame and getting all of the relevant
data
> and passing it back to the original page with javascript. This is a really
> cool idea.
Exactely, the idea is not mine, I've got it from a script somewhere, it was
crude and simple but cool, so I expanded it much more and adapted the whole
beast to make a DW extension out of it.
Just a note, I am not using a frame, just creating a new image object
passing an url to the "new Image" constructor. The funny thing is that the
url using "file://" as pseudoprotocol, so I am pointing to the local file
system, that's the core idea, but, again, it's not mine.
> Without testing the code out, is this not a huge security problem? I'm
> thinking that as long as the browser is can handle the mime type that it
> would be possible to grab almost any file from the users hd using the same
> concept with a few modifications.
Well, it may be, but there aren't too many info you can grab from a file
this way. For images you can take dimensions and file size... I have no idea
if you could grab dangerous info pointing to a text file. Anyway, you still
can't upload an arbitrary file from the local file system, but maybe you can
raed some info...
Since we are posting already huge chuncks of code (I hope people don't mind
too much). I developed quite a decent CFML file upload code in the past
months. A few details were adapted to make it works better in Ultradev, but
I think it may be handy. Using it together with the JavaScript code I posted
before you have quite a sophisticated solution. I hope one of these days I
will write an article out of it, or maybe a custom tag, in the meantime here
it is:
<!--- If a form containing a field called "photo" was submitted --->
<cfif isDefined("form.photo") AND form.file NEQ "">
<!--- Check to see if the browser reported a well formed content_length
HTTP header --->
<cfif cgi.content_length EQ "">
<cfscript>
WriteOutPut("Your browser reported a bad formed HTTP header, this could be
caused by an error, a bug in your browser or the settings on your
Proxy/Firewall");
</cfscript>
<!--- Abort processing --->
<cfabort>
</cfif>
<!--- Set max size allowed in KB--->
<cfset tmtMaxSizeKB="10">
<!--- Convert the value in byte --->
<cfset tmtMaxSize="#Evaluate(tmtMaxSizeKB*1024)#">
<!--- Check for file size as reported by the HTTP header--->
<cfif Val(cgi.content_length) GT tmtMaxSize>
<!--- Use cfscript to write an error, to avoid UD display bad things if
the code is written above the <body> tag --->
<cfscript>
WriteOutPut("The selected file's size is greater than the " &
#tmtMaxSizeKB# & " KiloBytes maximum size allowed, please select another one
and try again.");
</cfscript>
<!--- Abort processing --->
<cfabort>
</cfif>
<!--- Upload the file, make unique names on clashes and allow only
images --->
<cftry>
<cffile action="upload" filefield="photo"
destination="#ExpandPath("images")#" nameconflict="makeunique"
accept="image/*">
<!--- If the file upload failed --->
<cfcatch type="Any">
<!--- Display errors --->
<cfscript>
WriteOutPut("An error occurred during the file upload process.<br><br>");
WriteOutPut("This is likely due to one of the reasons below:<br><br>");
WriteOutPut("1) The MIME type of the uploaded file was not accepted by the
server. Please verify that you are uploading a file of the appropriate
type.<br>");
WriteOutPut("2) The application doesn't have the correct permissions on
the server.<br><br>");
WriteOutPut("If the problem persist, please contact the website's
administrator.");
</cfscript>
<!--- Abort processing --->
<cfabort>
</cfcatch>
</cftry>
<!--- if the file was saved --->
<cfif isDefined("file.FileWasSaved")>
<!--- To be sure, check the file size again, just in case the HTTP header
was faked --->
<cfif file.FileSize GT tmtMaxSize>
<cfset tmtServerFilePath=file.ServerDirectory&"\"&file.ServerFile>
<!--- Be sure the file exist before we delete it --->
<cfif FileExists(tmtServerFilePath)>
<cftry>
<!--- Delete the beast --->
<cffile action="delete" file="#tmtServerFilePath#">
<!--- Display error, it's a different message than before, good to catch
the difference for debugging --->
<cfscript>
WriteOutPut("The uploaded file's size is greater than the " &
#tmtMaxSizeKB# & " KiloBytes maximum size allowed, please select another one
and try again.");
</cfscript>
<!--- Abort processing --->
<cfabort>
<cfcatch type="Any">
<!--- Something went wrong on deleting, display error --->
<cfscript>
WriteOutPut("An error occurred during the file upload process");
</cfscript>
<!--- Abort processing --->
<cfabort>
</cfcatch>
</cftry>
</cfif>
</cfif>
<!--- Store the name of the file inside the form variable --->
<cfset form.photo=file.ServerFile>
<!--- Redirect if needed --->
<cfset tmt_upload_redirect="mypage.cfm">
<cfif tmt_upload_redirect NEQ "">
<cflocation url="#tmt_upload_redirect#">
</cfif>
<!--- If the file was not saved, display error then abort --->
<cfelse>
<cfscript>
WriteOutPut("An error occurred during the file upload process");
</cfscript>
<cfabort>
</cfif>
</cfif>
--
----------------------------
Massimo Foti
[EMAIL PROTECTED]
http://www.massimocorner.com
Dreamweaver, Ultradev and Fireworks goodies
http://www.projectseven.com/viewer/snippets.htm
Snippets Panel
----------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
