Copy link to clipboard
Copied
Hello,
I'm trying to implement the cffileupload widget and restrict it to only be able to upload image files
you do have an extension filter which can be set to *.jpg, *.png etc.. but the user can still select other file types by using the *.* command in the explorer popup
so i tought to restrict it on the actual cffile "upload" tag in the backend, however all files are having the mime type "application/octet-stream" and not image/jpg ..
any idea's how to really restrict this tag?
maybe it is related to this issue
http://www.elliottsprehn.com/cfbugs/bugs/81254
tx
You need to check the cffile.ServerFileExt variable which contains the file extension to make sure it matches your set of allowed extensions. Make sure you upload into a folder outside of the webroot first (such as getTempDirectory()) to avoid some potential security issues.
You can also use IsImageFile() in addition to the file extension test, but you should not rely on isImageFile (always check the file extensions).
If you have CF10 you can use <cffile accept="*.jpg,*.png" strict="false" ...> a
...Copy link to clipboard
Copied
You need to check the cffile.ServerFileExt variable which contains the file extension to make sure it matches your set of allowed extensions. Make sure you upload into a folder outside of the webroot first (such as getTempDirectory()) to avoid some potential security issues.
You can also use IsImageFile() in addition to the file extension test, but you should not rely on isImageFile (always check the file extensions).
If you have CF10 you can use <cffile accept="*.jpg,*.png" strict="false" ...> as well.
In short - don't rely on the mime type for anything it can be spoofed by a hacker to upload malicious files, always check the file extension (worth repeating).
-- Pete Freitag
Foundeo Inc - Makers of HackMyCF & FuseGuard