• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

upload from local or url, the most secure file extension check

Explorer ,
Sep 03, 2013 Sep 03, 2013

Copy link to clipboard

Copied

In short, I want to allow users to upload images from a local computer or url. So, what's the best aproach to secure my application, more specifically to block all file extensions except those in white list. I do not want to rely on mime type simply because it can be easily faked and offer false sense of security.

I would like to pass data with jquery, the code would look something like this

$.ajax({

            url: "cfc/uploadImg.cfc",

            dataType: 'JSON',

            data: {

                method : 'uploadImages',

                returnformat : 'JSON',

                post: $("#title").val(),

                img: $("#image").val(),

            },

            success: function(data) {

             /*shows error msg*/

              alert(data);

            }

                });

                });

uploadImg.cfc

some validation

.

.

.

and then something like this

<cftry>

  <cffile action="upload" filefield="arguments.img" destination="#GetTempDirectory()#" nameconflict="makeunique"

<cfif NOT ListFindNoCase("jpg,png",CFFILE.ServerFileExt)>

<cfset errorMsg = "wrong file extension..."

     <cftry>

         <cffile action="delete" file="#CFFILE.ServerDirectory#\#CFFILE.ServerFile#">

        <cfcatch>

         </cfcatch>

     </cftry>

</cftry>

I know that this method also is not bulletproof, so what do you suggest?

Views

451

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Sep 03, 2013 Sep 03, 2013

Copy link to clipboard

Copied

LATEST

Besides checking the file extension, you could add another layer of security by using IsImageFile(). It supports:

  • JPEG
  • GIF
  • TIFF
  • PNG
  • BMP

http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7978.html

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation