Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

CFFILE and Tif Files

Posted on 2001-08-09
11
Medium Priority
?
492 Views
Last Modified: 2013-12-24
When I upload a TIF file via CFFILE I am informed that the mime type for this file is "Application/Octet-stream" rather than "images/tiff".  

This allows users to upload executables which is obviously a security risk.  We don't want this to happen.

Is there a solution to this problem ?

I would be grateful for all advice offered.

Thanks in advance

John
0
Comment
Question by:johnclarke
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +3
11 Comments
 
LVL 19

Expert Comment

by:cheekycj
ID: 6368141
detect the type of file it was and delete it if it isn't type tiff...

<CFSET uploadPath = "d:\inetpub\wwwroot\mywebsite\uploaddir\">
<CFLOCK timeout="60" throwontimeout="yes">
<cffile action="UPLOAD" filefield="#FORM.filename#" destination="#uploadPath#" nameconflict="MAKEUNIQUE" accept="application/octet-stream">
</CFLOCK>
<CFIF FILE.FileWasSaved>
   <CFIF File.ClientFileExt IS NOT "tiff">
       <CFLOCK timeout="60" throwontimeout="yes">
         <cffile action="DELETE" filefield="#FORM.filename#" destination="#uploadPath#">
       </CFLOCK>      
       Please upload TIFF Files only.
       File was not uploaded
   </CFIF>
</CFIF>

You can use JavaScript to check the extension before they click submit.

You can also do some parsing of the name to check the extension before you upload.

CJ
0
 

Author Comment

by:johnclarke
ID: 6368428
CJ,
   Thanks for your comment.  In the program we need to upload more than one type of file.  However, we wish to prevent a user from upload executables (eg PL,EXE, etc).

Users can change the file extension so we need a way to make CFFILE identify the correct mime type.

Thanks in advance

John
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 6368464
Well, the problem is that the mime-type of a file is dictated by the browser settings.. so I can change go and change my browser settings to make .exe files of type image or whatever.

CJ
0
Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?

 
LVL 14

Expert Comment

by:Scott Bennett
ID: 6369220
The best way to do this would be to have a javascript validation on the form and to also set the <cffile> tag to only accept the MIME type you want. The following example is set to accept gif's, bmp's, jpg's, and tif's.

NOTE: CJ had the same answer as this so If it works for you he should get the points. I just decided to give you some example code to look at since I had it handy.

-Scott





ImageUpload_1.cfm:

----------------------------------------------------------

<!--- This Javascript Validates the Image field --->
<script language="JavaScript1.2">

   
function Check_File_Field(){

         var TheValue = eval("document.ImageUpload.ImageFile.value");
         var FileType = TheValue.substr(TheValue.length-3, 3);
         
         if (TheValue == ""){
              alert("Please Select an Image to Upload");
         }
         
         
         if ( FileType == "gif" || FileType == "jpg" || FileType == "bmp" || FileType == "tif" ) {
                   document.ImageUpload.submit();
         }
         
         else{
              alert("The file is not a valid Image file.");
              eval("document.ImageUpload.ImageFile.focus()");
         }
    }
</script>
ImageUpload_1.cfm:

<!--- This form uploads the Image --->
<cfform name="ImageUpload" action="ImageUpload_2.cfm" enctype="multipart/form-data">
<input name="ImageFile" type="file">
<input type="Button" value="Upload Image" onclick="Check_File_Field()">
</cfform>

----------------------------------------------------------

ImageUpload_2.cfm:

-----------------------------------------------------------

<!--- If a file has been uploaded use cffile to check that it is am image file and store it in your
image folder --->
<cfif isDefined("Form.ImageFile")>
<CFFILE ACTION="upload"
   FILEFIELD="ImageFile"
   DESTINATION="C:\inetpub\wwwroot\ImageFolder"     NAMECONFLICT="MakeUnique"
    Accept="image/gif, image/pjpeg, image/bmp, image/tif"
    >

<!--- The following structure contains info on the file wich may be helpful for you to add the image
to your content management system --->

<cfset stFile = StructNew()>
<cfset stFile.FileName = "#file.serverfile#">
<cfset stFile.FilePath = "#file.serverdirectory#">
<cfset stFile.FileURL = "/ImageFolder/#file.serverfile#">

</cfif>

---------------------------------------------------------



0
 
LVL 5

Expert Comment

by:heathprovost
ID: 6394577
"Users can change the file extension so we need a way to make CFFILE identify the correct mime type."

The mime type is entirely determined by the file extension anyway, so it really wont matter much.

Heath
0
 
LVL 1

Accepted Solution

by:
snakehollywood earned 200 total points
ID: 6402150
To check a whole bunch of extensions from CF use

<CFIF NOT ListFind(File.ClientFileExt, "tiff,jpg,gif")>
delete the file
</cfif>
0
 
LVL 1

Expert Comment

by:Moondancer
ID: 6777997
johnclarke--->  You logged in recently, but did not update/finalize your open questions.  Please do.

If you've been helped, please accept the expert comment which helped you to grade and close it.  If you need help splitting points between multiple experts, comment with detail.

I will post this in all your open questions and monitor them for closure.  Please check the HELP DESK link on the left for site-related information on the Question/Answer process, Guidelines and Member Agreement.

Expert input is always welcome to determine the fair outcome of this question in the event johnclarke does not respond.

Thanks all,

Moondancer
Community Support Moderator @ Experts Exchange
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 6779274
IMHO split btw SBennett and me.

CJ
0
 
LVL 14

Expert Comment

by:Scott Bennett
ID: 6780469
I find it odd that snakehollywood's comment was accepted as the answer for this question. In my opinion it was probably the least usefull comment on this whole string.

Scott
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 6780471
Well, I guess if it satisfied the question asker...

CJ
0
 
LVL 1

Expert Comment

by:Moondancer
ID: 6780630
Thanks, johnclarke, for returning and updating/finalizing your questions.  Thank you also, CJ.

Moondancer
Community Support Moderator @ Experts Exchange
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the typical problems I have experienced is when you have to move a web server from one hosting site to another. You normally prepare all on the new host, transfer the site, change DNS and cross your fingers hoping all will be ok on new server…
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question