cffileupload mime type restriction?

Question

Hello,I'm trying to implement the cffileupload widget and restrict it to only be able to upload image filesyou do have an ﻿extension filter which can be set to *.jpg, *.png etc.. but the user can still select other file types by using the *.* command in the explorer popupso i tought to restrict it on the actual cffile "upload" tag in the backend, however all ﻿files are having the mime type "application/octet-stream" and not image/jpg .. any idea's how to really restrict this tag?maybe it is related to this issue﻿http://www.elliottsprehn.com/cfbugs/bugs/81254tx

pete_freitag · Accepted Answer

You need to check the cffile.ServerFileExt variable which contains the file extension to make sure it matches your set of allowed extensions. Make sure you upload into a folder outside of the webroot first (such as getTempDirectory()) to avoid some potential security issues.

You can also use IsImageFile() in addition to the file extension test, but you should not rely on isImageFile (always check the file extensions).

If you have CF10 you can use <cffile accept="*.jpg,*.png" strict="false" ...> as well.

In short - don't rely on the mime type for anything it can be spoofed by a hacker to upload malicious files, always check the file extension (worth repeating).

-- Pete Freitag

Foundeo Inc - Makers of HackMyCF & FuseGuard

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded