1 Reply Latest reply on Jul 2, 2013 5:56 AM by pete_freitag

    cffileupload mime type restriction?

    N0cT1v4Gus

      Hello,

       

      I'm trying to implement the cffileupload widget and restrict it to only be able to upload image files

      you do have an extension filter which can be set to *.jpg, *.png etc.. but the user can still select other file types by using the *.* command in the explorer popup

       

      so i tought to restrict it on the actual cffile "upload" tag in the backend, however all files are having the mime type "application/octet-stream" and not image/jpg ..

       

      any idea's how to really restrict this tag?

       

      maybe it is related to this issue

      http://www.elliottsprehn.com/cfbugs/bugs/81254

       

      tx

        • 1. Re: cffileupload mime type restriction?
          pete_freitag Adobe Community Professional

          You need to check the cffile.ServerFileExt variable which contains the file extension to make sure it matches your set of allowed extensions. Make sure you upload into a folder outside of the webroot first (such as getTempDirectory()) to avoid some potential security issues.

           

          You can also use IsImageFile() in addition to the file extension test, but you should not rely on isImageFile (always check the file extensions).

           

          If you have CF10 you can use <cffile accept="*.jpg,*.png" strict="false" ...>  as well.

           

          In short - don't rely on the mime type for anything it can be spoofed by a hacker to upload malicious files, always check the file extension (worth repeating).

           

          -- Pete Freitag

          Foundeo Inc - Makers of HackMyCF & FuseGuard