Solved

Document upload restrictions with CFFILE

Posted on 2004-09-16
9
247 Views
Last Modified: 2013-12-24
I am finishing up a document management system and want to add restrictions to what a user can upload to the server.  I have a couple questions that I need to figure out...

1.  What would be a list of file extensions that I would want to exclude?

2.  Is there a way to check for these "bad" extensions on the client side and display a popup before the form is submitted?      (Any javascript code out there?)

3.  Is there an attribute in CFFILE for doing this on the server side?  I can't seem to remember.  Or is there another way to do the server side check.

4.  On a slightly different note... should I be doing a check for the size of the file before it is uploaded and can I set a file size limit anywhere?

Thanks for any input!

Tim
0
Comment
Question by:Ike23
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 21

Expert Comment

by:pinaldave
Comment Utility
Hi Ike23,
i am using free custom tag for doing this which is known as iaupload i found this from the site of the marcromedia...
the file which I upload is like this....

        <CF_IAUpload FILE=form.uploadImage UPLOADDIR="#admin.path#\include\images" RENAME="#dateformat(variables.timenow,"mmddyyyy")#_#timeformat(variables.timenow,"hhmmss")#" ALLOWEDMIME="image/pjpeg,image/jpeg,image/gif,application/x-shockwave-flash,application/zip,application/x-zip-compressed,image/png,image/x-png,application/postscript" FILESIZEMAX="9000000">

answers to your questions....

1.  What would be a list of file extensions that I would want to exclude?

you can specify mime types for uploads..

2.  Is there a way to check for these "bad" extensions on the client side and display a popup before the form is submitted?      (Any javascript code out there?)

CRC check... i do not know how to go about them...

3.  Is there an attribute in CFFILE for doing this on the server side?  I can't seem to remember.  Or is there another way to do the server side check.


CRC check... i do not know how to go about them... i am not aware of ...

4.  On a slightly different note... should I be doing a check for the size of the file before it is uploaded and can I set a file size limit anywhere?

you can use maxfilesize as specified in the code...

you can retrive them from this code....from your directory

<cfloop query="getattach">
                                                                    <cfloop index = "ListElement" list = "gif,jpg,jpeg,png,zip,swf,ai">
                                                                        <cfdirectory
                                                                         action = "list"
                                                                         directory = "#admin.path#\include\images\"
                                                                         name = "getFileName"
                                                                         filter = "#trim(getattach.filename)#.#ListElement#">
                                                                         

Regards,
---Pinal
0
 
LVL 4

Author Comment

by:Ike23
Comment Utility
I have a form that is working already for my uploads and I need a list of extensions to exclude not extensions to include.  This looks like a cool tag but isn't what I'm looking for.  I maybe need the javascript code to check on the client side and then I guess I can just do a <cfif> on the server side and catch any bad extensions that way.  I'm not sure that you can check the file size on the client side before it is sent to the server but that would be really cool.

T
0
 
LVL 17

Expert Comment

by:Tacobell777
Comment Utility
with client side you could write some js to check if the last 3 characters of the file are not 'exe' or 'com' or whatever you want to exclude..

0
 
LVL 17

Expert Comment

by:anandkp
Comment Utility
Refer this code : http://www.experts-exchange.com/Web/WebDevSoftware/ColdFusion/Q_20663901.html

1. The list of extensions wld depend on what u want users to upload
2. client side checks - http://javascript.internet.com/forms/upload-filter.html
3. with CFFILE - u can use <CFFILE ACTION="UPLOAD" FILEFIELD="New_FieldName" DESTINATION="#FilePath#" NAMECONFLICT="MakeUnique" ACCEPT="image/jpg">
Note the accept attribute ... that does the job for u
4. File size can be checked using ... <CFIF FILE.FileSize LT 30><!--- Size chk --->              

lemme know ...

K'Rgds
Anand
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 4

Author Comment

by:Ike23
Comment Utility
Any example of how to use javascript to write the check?
0
 
LVL 17

Expert Comment

by:anandkp
Comment Utility
from above :
2. client side checks - http://javascript.internet.com/forms/upload-filter.html
0
 
LVL 4

Author Comment

by:Ike23
Comment Utility
I want to allow any files to be uploaded except for files that end in a certain extension.  This is the other way around where I would have to make a list of files I want to upload.  I already have the list of files I want to prevent.  Is there any way to do a client and server side check to make sure the file's extension is NOT in the list of "bad" file names?
0
 
LVL 21

Accepted Solution

by:
pinaldave earned 350 total points
Comment Utility
well what you can do is this... on server side.... but you have to uplaod the file first first and then after you can just ignore it.
like this :
1) client file
2) temp storage
3) final destination

1) upload the files from the clients side ( any file)
2) in the temp storage check the entention like listlast( finename, '.') which will give you extention of the file.
Now use listcontains to know if this is in your "bad" file list extention or not... if it is there then do not move it to final destination and delete it.

Btw, you can do it without temp storage and do all of the above in final area but this is for extra security.
Regards,
---Pinal
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Periodically we have to update or add SSL certificates for customers. Depending upon your hosting plan you may be responsible for the installation and/or key generation. In the wake of Heartbleed many sites were forced to re-key. We will concen…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now