Re: My limited testing shows this won't work...
At that stage, the server has already received the uploaded file. Action=upload just moves and/or renames the file. However, I still do not think it will work as you expect. #form.image# only contains a temporary file path at that point. The original/client file name is not available until after the cffile call completes. accept = image/jpg, image/pjpg, image/jpeg, image/pjpeg Btw: Mime types are spoofable. Do you have other security measures in place? http://www.petefreitag.com/item ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:346842 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: My limited testing shows this won't work...
Rick, You want to make sure you upload into a temporary directory that is outside of the web root first, otherwise as Leigh pointed out the mime type could be spoofed, and the file could be executed before you've even had a chance to perform any other validation on it. The link got truncated in my email: http://www.petefreitag.com/item/701.cfm Once the file is in the temp directory you can give it a new name and move it under the web root after you have performed your validations. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Aug 18, 2011 at 1:18 PM, Rick Faircloth r...@whitestonemedia.comwrote: Am I correct? The image upload, using makeunique can't be used in conjuction with reReplace as in: cffile action= upload filefield = image destination = #expandPath('images\')##reReplace(image, '[^a-zA-Z0-9_.]', '', 'all')# accept= image/jpg, image/pjpg, image/jpeg, image/pjpeg nameConflict=makeUnique / It doesn't seem like it should work, since I'm trying to use server side CF, while the server is actually receiving the image... Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:346849 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: My limited testing shows this won't work...
Thanks, Pete! I'll check out the link! Rick -Original Message- From: Pete Freitag [mailto:p...@foundeo.com] Sent: Thursday, August 18, 2011 4:52 PM To: cf-talk Subject: Re: My limited testing shows this won't work... Rick, You want to make sure you upload into a temporary directory that is outside of the web root first, otherwise as Leigh pointed out the mime type could be spoofed, and the file could be executed before you've even had a chance to perform any other validation on it. The link got truncated in my email: http://www.petefreitag.com/item/701.cfm Once the file is in the temp directory you can give it a new name and move it under the web root after you have performed your validations. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Aug 18, 2011 at 1:18 PM, Rick Faircloth r...@whitestonemedia.comwrote: Am I correct? The image upload, using makeunique can't be used in conjuction with reReplace as in: cffile action= upload filefield = image destination = #expandPath('images\')##reReplace(image, '[^a-zA-Z0-9_.]', '', 'all')# accept= image/jpg, image/pjpg, image/jpeg, image/pjpeg nameConflict=makeUnique / It doesn't seem like it should work, since I'm trying to use server side CF, while the server is actually receiving the image... Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:346856 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm