Re: Secure Image Uploads
Do a daily cleanup of uploaded files Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine On Dec 20, 2012 1:55 AM, "Pete Freitag" wrote: > > From a security perspective you don't want to skip the file extension > test(s) - that is critical. Also make sure you upload to a directory > outside of the webroot, then perform your validation. Only move it under > the webroot if you are sure it is a valid image and has an approved file > extension. Finally use your web server and/or CF sandbox security to > prevent execution on the image upload folder. > > I also wrote a blog entry a while with some tips for secure file uploads: > http://www.petefreitag.com/item/701.cfm > > -- > Pete Freitag - Adobe Community Professional > http://foundeo.com/ - ColdFusion Consulting & Products > http://hackmycf.com - Is your ColdFusion Server Secure? > http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 > minutes > > > > > On Tue, Dec 18, 2012 at 10:35 PM, Dan Baughman >wrote: > > > > > skip all the nonsense and just try to resize the image. > > > > If that fails its either a color pallete java can't handle or it > > isn't an image. > > > > - Dan > > > > On Tue, Dec 18, 2012 at 8:12 PM, Terry Troxel > > wrote: > > > > > > I am looking for a safe and secure way to put an example page on my > site > > > that will allow a potential client to upload a JPG in order to see an > > > example of a responsive photo gallery he can create using my new > > responsive > > > web template I am in the process of building. > > > Here is what I am considering in the upload process: > > > 1...JPG extension only > > > 2...file size limit > > > 3...remove exif data if it exists > > > 4...Convert file to PNG and save after doing the resizing, etc. that I > > need > > > to. > > > > > > I would like some opinions, suggestions, etc. to tell me if I am > missing > > > something or there is any other avenues I can persue to accomplish my > > goal > > > to stop anyone from using this to hack my site. > > > > > > Terry > > > > > > > > > > > > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353554 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Secure Image Uploads
>From a security perspective you don't want to skip the file extension test(s) - that is critical. Also make sure you upload to a directory outside of the webroot, then perform your validation. Only move it under the webroot if you are sure it is a valid image and has an approved file extension. Finally use your web server and/or CF sandbox security to prevent execution on the image upload folder. I also wrote a blog entry a while with some tips for secure file uploads: http://www.petefreitag.com/item/701.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Tue, Dec 18, 2012 at 10:35 PM, Dan Baughman wrote: > > skip all the nonsense and just try to resize the image. > > If that fails its either a color pallete java can't handle or it > isn't an image. > > - Dan > > On Tue, Dec 18, 2012 at 8:12 PM, Terry Troxel > wrote: > > > > I am looking for a safe and secure way to put an example page on my site > > that will allow a potential client to upload a JPG in order to see an > > example of a responsive photo gallery he can create using my new > responsive > > web template I am in the process of building. > > Here is what I am considering in the upload process: > > 1...JPG extension only > > 2...file size limit > > 3...remove exif data if it exists > > 4...Convert file to PNG and save after doing the resizing, etc. that I > need > > to. > > > > I would like some opinions, suggestions, etc. to tell me if I am missing > > something or there is any other avenues I can persue to accomplish my > goal > > to stop anyone from using this to hack my site. > > > > Terry > > > > > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353553 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Secure Image Uploads
skip all the nonsense and just try to resize the image. If that fails its either a color pallete java can't handle or it isn't an image. - Dan On Tue, Dec 18, 2012 at 8:12 PM, Terry Troxel wrote: > > I am looking for a safe and secure way to put an example page on my site > that will allow a potential client to upload a JPG in order to see an > example of a responsive photo gallery he can create using my new responsive > web template I am in the process of building. > Here is what I am considering in the upload process: > 1...JPG extension only > 2...file size limit > 3...remove exif data if it exists > 4...Convert file to PNG and save after doing the resizing, etc. that I need > to. > > I would like some opinions, suggestions, etc. to tell me if I am missing > something or there is any other avenues I can persue to accomplish my goal > to stop anyone from using this to hack my site. > > Terry > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353540 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Secure Image Uploads
I am looking for a safe and secure way to put an example page on my site that will allow a potential client to upload a JPG in order to see an example of a responsive photo gallery he can create using my new responsive web template I am in the process of building. Here is what I am considering in the upload process: 1...JPG extension only 2...file size limit 3...remove exif data if it exists 4...Convert file to PNG and save after doing the resizing, etc. that I need to. I would like some opinions, suggestions, etc. to tell me if I am missing something or there is any other avenues I can persue to accomplish my goal to stop anyone from using this to hack my site. Terry ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353539 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
