Re: My limited testing shows this won't work...

2011-08-18 Thread Leigh 

At that stage, the server has already received the uploaded file. 
Action=upload just moves and/or renames the file.

However, I still do not think it will work as you expect. #form.image# only 
contains a temporary file path at that point. The original/client file name is 
not available until after the cffile call completes.

         accept     
   =   image/jpg, image/pjpg,
 image/jpeg, image/pjpeg

Btw: Mime types are spoofable. Do you have other security measures in place? 
http://www.petefreitag.com/item

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:346842
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: My limited testing shows this won't work...

2011-08-18 Thread Pete Freitag 

Rick,

You want to make sure you upload into a temporary directory that is outside
of the web root first, otherwise as Leigh pointed out the mime type could be
spoofed, and the file could be executed before you've even had a chance to
perform any other validation on it. The link got truncated in my email:
http://www.petefreitag.com/item/701.cfm

Once the file is in the temp directory you can give it a new name and move
it under the web root after you have performed your validations.

--
Pete Freitag - Adobe Community Professional
http://foundeo.com/ - ColdFusion Consulting  Products
http://petefreitag.com/ - My Blog
http://hackmycf.com - Is your ColdFusion Server Secure?




On Thu, Aug 18, 2011 at 1:18 PM, Rick Faircloth r...@whitestonemedia.comwrote:


 Am I correct? The image upload, using makeunique can't be used
 in conjuction with reReplace as in:

 cffile action=   upload
filefield =   image
destination   =   #expandPath('images\')##reReplace(image,
 '[^a-zA-Z0-9_.]', '', 'all')#
accept=   image/jpg, image/pjpg, image/jpeg, image/pjpeg
 nameConflict=makeUnique /

 It doesn't seem like it should work, since I'm trying to use server side
 CF,
 while
 the server is actually receiving the image...

 Rick



 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:346849
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: My limited testing shows this won't work...

2011-08-18 Thread Rick Faircloth 

Thanks, Pete!

I'll check out the link!

Rick

-Original Message-
From: Pete Freitag [mailto:p...@foundeo.com] 
Sent: Thursday, August 18, 2011 4:52 PM
To: cf-talk
Subject: Re: My limited testing shows this won't work...


Rick,

You want to make sure you upload into a temporary directory that is outside
of the web root first, otherwise as Leigh pointed out the mime type could be
spoofed, and the file could be executed before you've even had a chance to
perform any other validation on it. The link got truncated in my email:
http://www.petefreitag.com/item/701.cfm

Once the file is in the temp directory you can give it a new name and move
it under the web root after you have performed your validations.

--
Pete Freitag - Adobe Community Professional
http://foundeo.com/ - ColdFusion Consulting  Products
http://petefreitag.com/ - My Blog
http://hackmycf.com - Is your ColdFusion Server Secure?




On Thu, Aug 18, 2011 at 1:18 PM, Rick Faircloth
r...@whitestonemedia.comwrote:


 Am I correct? The image upload, using makeunique can't be used
 in conjuction with reReplace as in:

 cffile action=   upload
filefield =   image
destination   =   #expandPath('images\')##reReplace(image,
 '[^a-zA-Z0-9_.]', '', 'all')#
accept=   image/jpg, image/pjpg, image/jpeg, image/pjpeg
 nameConflict=makeUnique /

 It doesn't seem like it should work, since I'm trying to use server side
 CF,
 while
 the server is actually receiving the image...

 Rick



 



~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:346856
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm