Copy link to clipboard
Copied
In short, I want to allow users to upload images from a local computer or url. So, what's the best aproach to secure my application, more specifically to block all file extensions except those in white list. I do not want to rely on mime type simply because it can be easily faked and offer false sense of security.
I would like to pass data with jquery, the code would look something like this
$.ajax({
url: "cfc/uploadImg.cfc",
dataType: 'JSON',
data: {
method : 'uploadImages',
returnformat : 'JSON',
post: $("#title").val(),
img: $("#image").val(),
},
success: function(data) {
/*shows error msg*/
alert(data);
}
});
});
uploadImg.cfc
some validation
.
.
.
and then something like this
<cftry>
<cffile action="upload" filefield="arguments.img" destination="#GetTempDirectory()#" nameconflict="makeunique"
<cfif NOT ListFindNoCase("jpg,png",CFFILE.ServerFileExt)>
<cfset errorMsg = "wrong file extension..."
<cftry>
<cffile action="delete" file="#CFFILE.ServerDirectory#\#CFFILE.ServerFile#">
<cfcatch>
</cfcatch>
</cftry>
</cftry>
I know that this method also is not bulletproof, so what do you suggest?
Copy link to clipboard
Copied
Besides checking the file extension, you could add another layer of security by using IsImageFile(). It supports:
http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7978.html