"Jon Hall" <[EMAIL PROTECTED]> wrote in message news:022101c15d9b$237615e0 > Wow, after staring at the code scratching my head for a few minutes I > finally think I get the concept of what you are doing. > Basically this is taking the filename and loading the image via a file://url > from the local filesystem into a frame and getting all of the relevant data > and passing it back to the original page with javascript. This is a really > cool idea.
Exactely, the idea is not mine, I've got it from a script somewhere, it was crude and simple but cool, so I expanded it much more and adapted the whole beast to make a DW extension out of it. Just a note, I am not using a frame, just creating a new image object passing an url to the "new Image" constructor. The funny thing is that the url using "file://" as pseudoprotocol, so I am pointing to the local file system, that's the core idea, but, again, it's not mine. > Without testing the code out, is this not a huge security problem? I'm > thinking that as long as the browser is can handle the mime type that it > would be possible to grab almost any file from the users hd using the same > concept with a few modifications. Well, it may be, but there aren't too many info you can grab from a file this way. For images you can take dimensions and file size... I have no idea if you could grab dangerous info pointing to a text file. Anyway, you still can't upload an arbitrary file from the local file system, but maybe you can raed some info... Since we are posting already huge chuncks of code (I hope people don't mind too much). I developed quite a decent CFML file upload code in the past months. A few details were adapted to make it works better in Ultradev, but I think it may be handy. Using it together with the JavaScript code I posted before you have quite a sophisticated solution. I hope one of these days I will write an article out of it, or maybe a custom tag, in the meantime here it is: <!--- If a form containing a field called "photo" was submitted ---> <cfif isDefined("form.photo") AND form.file NEQ ""> <!--- Check to see if the browser reported a well formed content_length HTTP header ---> <cfif cgi.content_length EQ ""> <cfscript> WriteOutPut("Your browser reported a bad formed HTTP header, this could be caused by an error, a bug in your browser or the settings on your Proxy/Firewall"); </cfscript> <!--- Abort processing ---> <cfabort> </cfif> <!--- Set max size allowed in KB---> <cfset tmtMaxSizeKB="10"> <!--- Convert the value in byte ---> <cfset tmtMaxSize="#Evaluate(tmtMaxSizeKB*1024)#"> <!--- Check for file size as reported by the HTTP header---> <cfif Val(cgi.content_length) GT tmtMaxSize> <!--- Use cfscript to write an error, to avoid UD display bad things if the code is written above the <body> tag ---> <cfscript> WriteOutPut("The selected file's size is greater than the " & #tmtMaxSizeKB# & " KiloBytes maximum size allowed, please select another one and try again."); </cfscript> <!--- Abort processing ---> <cfabort> </cfif> <!--- Upload the file, make unique names on clashes and allow only images ---> <cftry> <cffile action="upload" filefield="photo" destination="#ExpandPath("images")#" nameconflict="makeunique" accept="image/*"> <!--- If the file upload failed ---> <cfcatch type="Any"> <!--- Display errors ---> <cfscript> WriteOutPut("An error occurred during the file upload process.<br><br>"); WriteOutPut("This is likely due to one of the reasons below:<br><br>"); WriteOutPut("1) The MIME type of the uploaded file was not accepted by the server. Please verify that you are uploading a file of the appropriate type.<br>"); WriteOutPut("2) The application doesn't have the correct permissions on the server.<br><br>"); WriteOutPut("If the problem persist, please contact the website's administrator."); </cfscript> <!--- Abort processing ---> <cfabort> </cfcatch> </cftry> <!--- if the file was saved ---> <cfif isDefined("file.FileWasSaved")> <!--- To be sure, check the file size again, just in case the HTTP header was faked ---> <cfif file.FileSize GT tmtMaxSize> <cfset tmtServerFilePath=file.ServerDirectory&"\"&file.ServerFile> <!--- Be sure the file exist before we delete it ---> <cfif FileExists(tmtServerFilePath)> <cftry> <!--- Delete the beast ---> <cffile action="delete" file="#tmtServerFilePath#"> <!--- Display error, it's a different message than before, good to catch the difference for debugging ---> <cfscript> WriteOutPut("The uploaded file's size is greater than the " & #tmtMaxSizeKB# & " KiloBytes maximum size allowed, please select another one and try again."); </cfscript> <!--- Abort processing ---> <cfabort> <cfcatch type="Any"> <!--- Something went wrong on deleting, display error ---> <cfscript> WriteOutPut("An error occurred during the file upload process"); </cfscript> <!--- Abort processing ---> <cfabort> </cfcatch> </cftry> </cfif> </cfif> <!--- Store the name of the file inside the form variable ---> <cfset form.photo=file.ServerFile> <!--- Redirect if needed ---> <cfset tmt_upload_redirect="mypage.cfm"> <cfif tmt_upload_redirect NEQ ""> <cflocation url="#tmt_upload_redirect#"> </cfif> <!--- If the file was not saved, display error then abort ---> <cfelse> <cfscript> WriteOutPut("An error occurred during the file upload process"); </cfscript> <cfabort> </cfif> </cfif> -- ---------------------------- Massimo Foti [EMAIL PROTECTED] http://www.massimocorner.com Dreamweaver, Ultradev and Fireworks goodies http://www.projectseven.com/viewer/snippets.htm Snippets Panel ---------------------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists