I want to user to upload attachement to my upload directory like following
<cfset strPath = ExpandPath( "./" ) />
<cfset strPath = GetDirectoryFromPath(GetCurrentTemplatePath()) />
I use above code which gives me the following path.
Are there any way to add \uploadFile to the return path?
Your help and information is great appreciated,
I usually manage this in my application.cfc in onApplicationStart function, example:
var varAppDrive = listFirst(cgi.path_translated, ":");
application.upload_folder = varAppDrive & ":\inetpub\wwwroot\MySite\Test\uploadFile";
In the app you can use:
<cfset strPath = application.upload_folder />
I hope this help.
I'd strongly recommend not allowing files to be uploaded anywhere inside of your web root (i.e.: inside "\inetpub\wwwroot"). This is a major security hole and attack vector. It would allow malicious users to upload executable files or scripts and subsequently execute them from the browser.
Thanks for the information,
I use accept to only allow pdf, doc, xls files to upload.
Can I upload to any physic diretory what I specify using ColdFusion for C:\MyTempDiretory?
If so, user still be able to upload malicious code to tempdirectory as well.
I think that the solution is to limit the file types to upload and prohibit folder files to excute.
Thanks again for helping,
Depending on the version of CF you are using, the "allow" filtering may not be adequate. It is easy to spoof this by merely changing the extension of a file to appear to be a pdf, doc, xls file. CF10 did add the ability to actually check the mime type of upoaded files to validate them, which does improve the security of uploads.
Regardless, uploading directly to a folder within the web root violates web development best practices, regardless of whether you are using ColdFusion or any other server-side programming technology.