latest reactions

spider
One way is to google for page which cont …
andy
you can find this tool here http://andy. …
Tjarko
Eej Walker, that's pretty cool, I will c …
Walker
Thanks for posting your thoughts. I modi …
Albert
Thanks !! …

Clicky Web Analytics
Use OpenDNS
ZERIGO DNS

Ultimate dns hosting based on pre-defined templates, DNS redirection and lot's more.

mxna feeds

CF101 Archive: September 2007 Object Oriented PizzaJob Opening for ColdFusion Developer at Arizona State UniversityMy New Experience Getting ColdFusion Builder 2 Console WorkingCF101 Archive: February 2007 Data Table GatewaysJob Opening for Sr. ColdFusion Developer in CA/ San Fernando ValleyColdFusion Supports HTTP Verbs PUT And DELETE (As Well As GET And POST)Best wishes for the new FuseboxCF101 Archive: January 2007 Data Access ObjectsOpen Source Conference For CFML DevelopersSkype Blocking Web Services with IIS, ColdFusion & RailoCF101 Archive: October 2006 Five Cool Things with ColdFusionGenerate a tag cloud from an RSS feed with ColdFusionColdFusion MeetUp: Cloudy with a Chance of Tests, with Mike HenkeReminder - Adobe CookbooksCF101 Archive: September 2006 A first look at FusionDebug

All files are strictly confidential: all information is classified.
© Copyright 2002 - 2012 mximize.com.
All right reserved.

Visit Carlos GallupaMXNA webfeed

Simple file upload protection

These days it's all over the news that there is a new security bug in ColdFusion regarding file uploads and spoofing the mimetype. We use the bit of code below to simply check for the combination contenttype / extension. If the combination does not match... bye bye

<cfset stAllow = structNew() />
<cfset stAllow["image"] = "jpg,gif,png,jpeg" />
<cfset stAllow["file"] = "doc,xls,pdf,rtf,txt" />
<cfset stAllow["application"] = "zip,rar,doc,pdf,xls,ppt,swf,flv,txt" />
<cfset stAllow["audio"] = "mp3,mpa,mpg,ra,wav" />
<cfset stAllow["video"] = "mov,qt,mpeg,mp3,mpa,mpg" />
<cfset stAllow["text"] = "txt,htm,html,log,css" />

<cfif structKeyExists(stAllow, file.contenttype) && listFindNoCase(stAllow[file.contenttype],file.serverfileext)>
    You may pass...
<cfelse>
    You will NOT pass!!!
    <!--- Delete the file or something --->
</cfif>


This works in a simple yet very effective way. People could still upload a file that is a .cfm and rename it to .gif but for the webserver it will be an image file.. no harm there. You can change the structure to your liking offcourse.

Some other tips are to only set "read" rights to the upload dir, place an application.cfm file with a <cfabort> tag in the upload dir (if it's accessible from the web)

5381 viewed | 2 opinion(s)  | del.icio.us | Digg it | Tjarko @ 07/07/09 12:27 cet


Reactions:

dave wrote.... (mail)

"only set "read" rights to the upload dir,"
then how you gunna upload into it?

07 July 2009 16:42 cet  

Tjarko wrote.... (site)

@dave, read rights for the webserver, not for the filesystem

07 July 2009 16:44 cet  

Leave your comment

Your name


Your url/website/link/email....


Some room for your reaction is placed here..



The answer to the ultimate question is?? (42 ;-))




URL en mail addresses are translated for you... life sometimes is that simple!!