agree on the mime type stuff Chris. I don't want to upload the file and then check it out though. Seems like a much bigger security risk. Perhaps instead of looking at the mime type I can do a ListLast(serverFileName, ".") to get the extension and just compare that way instead of trusting the browser.
Mark Davis | Developer ............................................................................ ............................................. Round Table Group, Inc. (281) 717-4575 [email protected] <outbind://696-00000000879C9B08D9D9434BB0980BC1C3F44FE364B25100/www.roundtab legroup.com> www.roundtablegroup.com ............................................................................ ............................................. https://www.roundtablegroup.com/secure/staff/emailSignature/RTG_logo.bmp The Leading Authority in Expert Witness Search & ReferralTM CONFIDENTIALITY NOTE: This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named in the message originated by me and may contain legally privileged and/or confidential information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this email in error, please notify me immediately by telephone and permanently delete the original and any copy of the email, and any printout thereof. Thank you. _____ From: [email protected] [mailto:[email protected]] On Behalf Of Chris Champion Sent: Thursday, July 30, 2009 3:23 PM To: [email protected] Subject: [houcfug] Re: cfcatch question Well, remember that you're still at risk-- when working with mime-type you're still trusting what the browser is telling you, and that's easy for a hacker to spoof. (As is being done in a current exploit botnets are trying.) I actually prefer the roll-your-own security that Ajas and Mike are suggesting. Use of a bit of file-shuffling gets around much of the danger level Billy pointed out of allowing it on the server. 1. Upload destination should be somewhere well out of web tree -- getTempDirectory is useful at these times. 2. Explicitly check the extension of the uploaded file. Throw an error if it isn't to your liking. 3. If the file seems ok, use cffile to move it from temp directory to its final location. 4. Continue processing remainder of form data and throw errors as appropriate. -CPC On Thu, Jul 30, 2009 at 3:04 PM, Mark Davis <[email protected]> wrote: exactly Billy. Want to keep the file off the server to start with Here is what I have working though. after investigating the cfcatch structure a bit, I noticed that if the error is thrown as a result of a filetype not listed in cffile accept="", cfcatch.mimetype is defined. Otherwise, its not. So for now, I have this... <cfcatch> <cfif isdefined("cfcatch.mimetype")> <!--- Log message ---> <cflog file="Public-Info-Messages" text="#cfcatch.message# #cfcatch.detail# #cfcatch.extendedInfo# Location: #errorLocation#" /> ...display some user message... <cfelse> <!--- log actual error ---> <cflog log="Application" text="#cfcatch.message# #cfcatch.detail# #cfcatch.extendedInfo# Location: #errorLocation#" /> ....display some user message... </cfif> </cfcatch> Will keep testing this. Thanks for the help guys. Mark Davis | Developer ............................................................................ ............................................. Round Table Group, Inc. (281) 717-4575 [email protected] www.roundtablegroup.com ............................................................................ ............................................. https://www.roundtablegroup.com/secure/staff/emailSignature/RTG_logo.bmp The Leading Authority in Expert Witness Search & ReferralTM CONFIDENTIALITY NOTE: This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named in the message originated by me and may contain legally privileged and/or confidential information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this email in error, please notify me immediately by telephone and permanently delete the original and any copy of the email, and any printout thereof. Thank you. _____ From: [email protected] [mailto:[email protected]] On Behalf Of Billy Cravens Sent: Thursday, July 30, 2009 2:52 PM To: [email protected] Subject: [houcfug] Re: cfcatch question I doubt he wants to do that. Then he'd be letting the file onto the file system, which is what he's avoiding to begin with. By restricting the file type in the cffile tag, the file never gets saved to the file system, and the cffile structure is never set. -- Billy Cravens On Thu, Jul 30, 2009 at 2:28 PM, Mike G <[email protected]> wrote: Are you trying to catch on upload, or catching as soon as you start trying to process the uploaded file. If the latter, in the top of your cftry, evaluate cfile.serverfile extension (don't have the docs in front of me for the exact var that holds it) If it is not an allowable type, then use cfthrow and throw a custom exception. Then in you cfcatch, trap for that custom exception. pretty simple to do. On Thu, Jul 30, 2009 at 2:12 PM, Mark Davis<[email protected]> wrote: > hey gang, > > I have some pages where users upload photos and resumes. The mime types > allowed are limited to standard stuff. The page is wrapped in a try/catch, > that currently logs everything to one certain log file. We get a lot of > "errors" where the user is trying to upload an exe as a photo and crazy > stuff like that. I want a specific cfcatch type="" to catch only those > errors for mime type exceptions, handle those one way, then catch everything > else and handle a different way. I have the everything else, but I am > having issues figuring out the mime type catch. anyone? thanks > > > > Mark Davis | Developer > > ............................................................................ ............................................. > > Round Table Group, Inc. > > (281) 717-4575 > > [email protected] > > www.roundtablegroup.com <http://www.roundtablegroup.com/> > > ............................................................................ ............................................. > > > > The Leading Authority in Expert Witness Search & ReferralTM > > CONFIDENTIALITY NOTE: This e-mail, and any attachments thereto, is intended > only for use by the addressee(s) named in the message originated by me and > may contain legally privileged and/or confidential information. If the > reader of this message is not the intended recipient, you are hereby > notified that any dissemination, distribution or copying of this > communication is strictly prohibited. If you have received this email in > error, please notify me immediately by telephone and permanently delete the > original and any copy of the email, and any printout thereof. Thank you. > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the "Houston ColdFusion Users' Group" discussion list. To unsubscribe, send email to [email protected] For more options, visit http://groups.google.com/group/houcfug?hl=en -~----------~----~----~----~------~----~------~--~---
<<inline: image001.gif>>
<<inline: image001.gif>>
