Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Rejecting long filenames before the file is stored via cffile? 1

Status
Not open for further replies.

iamkillyou

Programmer
Jul 12, 2001
30
US
I'm writing an image upload script, and I'm trying to make it as secure as possible, but I have run into an issue with very long file names.

I believe I have tried everything, but I cannot stop cffile from storing a filename that is too long onto my server.

I have cfdumped all of the variables I can think of, but nothing gives me a clue as to what the file name is going to be before cffile stores it (which is too late as I can not delete these files via ftp).

I have tried these cfdumps

<cfdump var="#form#"><BR>
<cfdump var="#cgi#"><BR>
<cfdump var="#client#"><BR>
<cfdump var="#uploadFile#"><BR>

The only one that comes close is attemptedserverfilename but this is after a cffile.

anyway here is the file name -- I know it seems excessive but I am trying to make this as nuke proof as possible:

4444444444433333322222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222
222222222222222222222222222221104.jpg

This little code snippet seems to be the only place I can get a handle on it (which again is too late):

Code:
         <cfset uploadPath = GetDirectoryFromPath(GetTemplatePath()) & "uploads\">
         <cfset request.AcceptImage="image/gif,image/jpg,image/jpeg,image/pjpeg,image/x-png">
         <cffile action="upload" fileField="UploadFile" destination="#uploadPath#" nameConflict="MakeUnique" accept="#request.AcceptImage#">
         <cfif Len(File.ClientFile) GT 50>
            Whoa!!! file name is to looooooooooooooooooooooooong!!!!!<br>
            <cfoutput><cfdump var="#cffile#"></cfoutput>
            <cfabort>
         </cfif>

I was hoping that the temporary server file name was going to be the answer but its formatted like this:

C:\CFusionMX\runtime\servers\default\SERVER-INF\temp\
Does anyone have an ideas?
 
if you want to know the len of the filename before it's uploaded talk to the javascript forum. They can help you parse the filename from the path and check the length. javascript forum: forum216

A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.
-Douglas Adams (1952-2001)
 
I was hoping there would be a way to reject the upload with a coldfusion only approach...

I'll look into it though.

My "pie in the sky" dream answer, was an undocumented cffile flag like:

<cffile action="uploadtest" maxfilelength="50".....

 
go to the macromedia site and fill out a feature request. you'll have to do a site search for "wish list" to find it.

you could do this

<cffile action = "upload" destination = "#expandpath(foo)#">
<cfif len(file.serverfile) gt 50>
<cffile action = "delete" file = "#expandpath(foo)#/#file.serverfile#"
</cfif>

or rename it
<cfif len(file.serverfile) gt 50>
<!--- get the first 45 characters of the file name then append the extention with dot --->
<cfset newFileName = mid(file.ServerFile, 1, 45) & mid(file.serverfile, find(".", file.serverfile, 45),len(file.ServerFile))>
<cffile action = "rename" bla bla bla>
</cfif>

A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.
-Douglas Adams (1952-2001)
 
Well the issue is with the file name being too long, when outputting my cfcatch errors I see:

The destination
"E:\SiteData\webppliance\conf\domains\websitepart\InetPub\tmp\uploads\11111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111test_jpeg.jpg"
specified in the CFFILE tag is invalid.
The destination either does not exist or is not accessible by this tag.

That is the exact path and file name -- the issue is that the file name is too long and can not be deleted, I've tested other files and I can delete them so this is not the issue.

I think I am going to have to go the javascript route...
 
if the file name is too long a lot of times the system will rename it to something like blablablablabla~.jpg is that the case here? all you have to do is find out what the system is doing to the file name to find it with cffile.

A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.
-Douglas Adams (1952-2001)
 
The system is naming the file as specified in my post above -- I can see it when I ftp to the site as well.

The problem is that I can not delete it even from ftp.

I think I am going to do an 'on click' on the upload button that checks the length of the input text; to nip this in the bud before it hits CF.

 
use onsubmit when the form is submitted check the length of the file. you're going to have to find the last "\" in the string and get the length of the remainder. the js crew can help better. chances are this questions been asked before though. do a search in the js forum for something like "length file name upload" and see what you come up with.

A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.
-Douglas Adams (1952-2001)
 
I'm doing it this way...
(I know this probably shouldn't go here but in the future if anyone follows this thread it will help)
Code:
<script language="JavaScript">
function testInput(){
   fullpath = document.forms['upload_form'].UploadFile.value;
   filename = fullpath.substring(fullpath.lastIndexOf('\\') + 1);
   if(filename.length > 50){
      alert ("The file you are attempting to send:\n" + filename + "\nis " + filename.length +
      " characters long.\nFilenames with more than 64 characters are not permitted; shorten the filename.");}
   else{
      document.upload_form.submit();}}
</script>

.....

<input type="button" name="upload_now" value="Submit" onClick="testInput()">
 
thank you for posting the answer

A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.
-Douglas Adams (1952-2001)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top