Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Upload security

Status
Not open for further replies.
bigKev

bigKev

IS-IT--Management
Mar 16, 2001
19
0
0
AU
If I validate that files must be .gif or .jpg before they are uploaded to my server using CFFILE, does that secure the upload from virus'?

I had planned to do a quick javascript check, but have now found "accept=image/*", which is safer...

Also, can the size of the uploaded file be regulated as I don't want my users sticking massive files up?
 
Sort by date Sort by votes
Hey BigKev,

Using that wouldn't necessarily stop a virus from being uploaded as they could just change the extension before uploading. They would of course have to have some type of script access to rename it back to an .exe but technically it could still get on your server.

I'm not sure I understand your concern though as uploading a virus to your server won't do anything. The virus has to be run before it can do any harm and as long as you have your directories set to scripts only, there shouldn't be any way to actually run it.

In regards to the size question, I don't believe there is any way to limit files by size in the current version of CF. The best way IMO is to allow the upload, then use cfdirectory to return information about the file. If it's size is above the limit, use <cffile> to delete it and display an error message to the user.

Hope this helps,
GJ
 
Upvote 0 Downvote
Excellent, that's just what I needed, I had a feeling it would be safe anyway, but a little knowledge can be more dangerous than none, and the boss had heard the word virus and panicked!!

Thanks for the CFDIRECTORY tip, like it!
 
Upvote 0 Downvote
There is some useful ways to monitor what's going to be uploaded onto your server.
First is to use a behaviour in Dreamweaver 4 developed by Massimo Foti ( &quot;Check Image Upload 1.1&quot; that allows you to recognize many image details before the file is uploaded such as dimensions, size etc.
The second is to use a CF custom (free) tag that's named &quot;CF_imagesize&quot; that you may find on Allaire site.
With this tag you may discard all the files that do not match GIF and JPG requirements, such as dimensions and type of GIF (87 or 89) and Jpeg compression ratio.
Infact these parameters can't be easily embedded into an infected file in the right position.
To distinguish a possible executable file you may follow the same approach of CF_imagesize simply reading the header of the file.
An executable file has many parameters that may be read and discovered.
The ultimate possibility is to install onto your server a detection program (there are many of them specifically designed for this purpose) and to call them via a custom tag that executes the check over the uploaded file and may get back some alarm condition parameters.
All these ways have benefits and drawbacks. Choose the one (the the ones) that better meets your requirements.

Have a nice weekend.

Sergio
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AWEinCA
  • Locked
  • Question
PDF upload and view works for one pdf but not the other pdf
Replies
0
Views
28
AWEinCA
AWEinCA
hceyemyo
  • Locked
  • Question
Dreamweaver webpage upload does not display properly on remote server
Replies
0
Views
34
hceyemyo
hceyemyo
GreerWanda
  • Locked
  • Question
Dreamweaver 8 upload problems
Replies
3
Views
39
darryncooke
darryncooke
urc22
  • Locked
  • Question
Red X shows on newly uploaded images
Replies
4
Views
53
urc22
urc22
mini25
  • Locked
  • Question
rollovers don't work after upload
Replies
3
Views
50
mini25
mini25

Part and Inventory Search

Sponsor

Back
Top