1 Reply Latest reply on Sep 3, 2013 9:50 PM by p.sim

    upload from local or url, the most secure file extension check

    pirula08 Level 1

      In short, I want to allow users to upload images from a local computer or url. So, what's the best aproach to secure my application, more specifically to block all file extensions except those in white list. I do not want to rely on mime type simply because it can be easily faked and offer false sense of security.


      I would like to pass data with jquery, the code would look something like this



                  url: "cfc/uploadImg.cfc",

                  dataType: 'JSON',

                  data: {

                      method : 'uploadImages',

                      returnformat : 'JSON',

                      post: $("#title").val(),

                      img: $("#image").val(),


                  success: function(data) {


                   /*shows error msg*/










      some validation




      and then something like this



        <cffile action="upload" filefield="arguments.img" destination="#GetTempDirectory()#" nameconflict="makeunique"


      <cfif NOT ListFindNoCase("jpg,png",CFFILE.ServerFileExt)>

      <cfset errorMsg = "wrong file extension..."



               <cffile action="delete" file="#CFFILE.ServerDirectory#\#CFFILE.ServerFile#">









      I know that this method also is not bulletproof, so what do you suggest?