Simple file upload protection
These days it's all over the news that there is a new security bug in ColdFusion regarding file uploads and spoofing the mimetype. We use the bit of code below to simply check for the combination contenttype / extension. If the combination does not match... bye bye <cfset stAllow = structNew() />
<cfset stAllow["image"] = "jpg,gif,png,jpeg" />
<cfset stAllow["file"] = "doc,xls,pdf,rtf,txt" />
<cfset stAllow["application"] = "zip,rar,doc,pdf,xls,ppt,swf,flv,txt" />
<cfset stAllow["audio"] = "mp3,mpa,mpg,ra,wav" />
<cfset stAllow["video"] = "mov,qt,mpeg,mp3,mpa,mpg" />
<cfset stAllow["text"] = "txt,htm,html,log,css" />
<cfif structKeyExists(stAllow, file.contenttype) && listFindNoCase(stAllow[file.contenttype],file.serverfileext)>
You may pass...
<cfelse>
You will NOT pass!!!
<!--- Delete the file or something --->
</cfif> This works in a simple yet very effective way. People could still upload a file that is a .cfm and rename it to .gif but for the webserver it will be an image file.. no harm there. You can change the structure to your liking offcourse.
Some other tips are to only set "read" rights to the upload dir, place an application.cfm file with a <cfabort> tag in the upload dir (if it's accessible from the web)
5381 viewed | 2 opinion(s) | del.icio.us | Digg it | Tjarko @ 07/07/09 12:27 cet