1 Reply Latest reply on Sep 3, 2013 9:50 PM by p.sim

    upload from local or url, the most secure file extension check

    pirula08

      In short, I want to allow users to upload images from a local computer or url. So, what's the best aproach to secure my application, more specifically to block all file extensions except those in white list. I do not want to rely on mime type simply because it can be easily faked and offer false sense of security.

       

      I would like to pass data with jquery, the code would look something like this

       

      $.ajax({

                  url: "cfc/uploadImg.cfc",

                  dataType: 'JSON',

                  data: {

                      method : 'uploadImages',

                      returnformat : 'JSON',

                      post: $("#title").val(),

                      img: $("#image").val(),

                  },

                  success: function(data) {

       

                   /*shows error msg*/

                    alert(data);

                  }

                      });

       

                      });

       

       

      uploadImg.cfc

       

      some validation

      .

      .

      .

      and then something like this

       

      <cftry>

        <cffile action="upload" filefield="arguments.img" destination="#GetTempDirectory()#" nameconflict="makeunique"

       

      <cfif NOT ListFindNoCase("jpg,png",CFFILE.ServerFileExt)>

      <cfset errorMsg = "wrong file extension..."

       

           <cftry>

               <cffile action="delete" file="#CFFILE.ServerDirectory#\#CFFILE.ServerFile#">

       

              <cfcatch>

       

               </cfcatch>

           </cftry>

      </cftry>

       

       

      I know that this method also is not bulletproof, so what do you suggest?