5 Replies Latest reply on Sep 9, 2013 3:58 PM by iccsi

    get attachment directory

    iccsi Level 1

      I want to user to upload attachement to my upload directory like following




      <cfset strPath = ExpandPath( "./" ) />

      <cfset strPath = GetDirectoryFromPath(GetCurrentTemplatePath())  />

      <cfoutput> #strPath#</cfoutput>


      I use above code which gives me the following path.




      Are there any way to add \uploadFile to the return path?


      Your help and information is great appreciated,





        • 1. Re: get attachment directory
          jfb00 Level 3

          I usually manage this in my application.cfc in onApplicationStart function, example:


          var varAppDrive = listFirst(cgi.path_translated, ":");

          application.upload_folder =  varAppDrive & ":\inetpub\wwwroot\MySite\Test\uploadFile";


          In the app you can use:

          <cfset strPath = application.upload_folder />

          <cfoutput> #strPath#</cfoutput>

          I hope this help.


          • 2. Re: get attachment directory
            Carl Von Stetten Adobe Community Professional & MVP



            I'd strongly recommend not allowing files to be uploaded anywhere inside of your web root (i.e.: inside "\inetpub\wwwroot").  This is a major security hole and attack vector.  It would allow malicious users to upload executable files or scripts and subsequently execute them from the browser.

            Always upload to a folder outside your web root, validate what was uploaded, then move to a folder inside the webroot ***if appropriate***.
            -Carl V.
            • 3. Re: get attachment directory
              iccsi Level 1

              Thanks for the information,

              I use accept to only allow pdf, doc, xls files to upload.

              Can I upload to any physic diretory what I specify using ColdFusion for C:\MyTempDiretory?

              If so, user still be able to upload malicious code to tempdirectory as well.

              I think that the solution is to limit the file types to upload and prohibit folder files to excute.


              Thanks again for helping,






              • 4. Re: get attachment directory
                Carl Von Stetten Adobe Community Professional & MVP

                Depending on the version of CF you are using, the "allow" filtering may not be adequate.  It is easy to spoof this by merely changing the extension of a file to appear to be a pdf, doc, xls file.  CF10 did add the ability to actually check the mime type of upoaded files to validate them, which does improve the security of uploads.


                Regardless, uploading directly to a folder within the web root violates web development best practices, regardless of whether you are using ColdFusion or any other server-side programming technology.


                -Carl V.

                • 5. Re: get attachment directory
                  iccsi Level 1

                  Thanks a million for the information and help,