Skip to main content
B
bloodbanker
Known Participant
February 23, 2015
Answered

Document folder outside of webserver

  • February 23, 2015
  • 2 replies
  • 1269 views

Hi,

At my facility we have access to drives that are up to a TB in size.  We have a lot of documents we plan to scan and save "online".  Currently our web servers are relatively small, the on I am on now is only 20GB and it's almost full.

Can I upload documents through a web page to a drive that is not on the web server, and also build a page that links to those documents so that users can open them?

Thanks

    This topic has been closed for replies.
    Correct answer Dave Ferguson

    First, you should't be using a url var in a file path.  This leads to directory traversal attacks.

    Here is how you can make this work...

    • First, make sure CF is running as a specific user.  It should be already if the lockdown guid was followed.
    • Take the same credentials that CF is running as (user/password) and create an identical account on the server where the files are stored.
    • Create a share on the server to the files giving the CF user read permissions
    • Change your code to use a UNC path to get to the file.

    <cfset fileName = url.filename>

    <!--- validate that the filename field is in an expected format --->

    <!--- always use forward slashes for file paths.  That way if the code moves to a linux based server you don't have to change anything. --->

    <cfset fullPath = "//server/share/path/to/file/#filename.pdf">

    <cfif fileexists(fullPath)>

    <cfheader name="Content-disposition" value="attachment;filename=#fileName#.pdf">

    <cfcontent file="#fullPath#" deletefile="false">

    <cfelse>

    File not found...

    </cfif>

    HTH,

    --Dave

    2 replies

    Dave Ferguson
    Dave Ferguson
    Participating Frequently
    February 26, 2015

    This is totally possible without using a web service.  But it all depends on a few factors like network connectivity to storage and webserver os.  Can you explain a little about your environment and what you are running?

    B
    bloodbankerAuthor
    Known Participant
    February 26, 2015

    Thanks.

    We are currently using CF9, but I will be moving the site to a CF10 server.  Please keep in mind I am not a network person, nor a CF person, nor a programmer of any sort, so my terminology is likely wrong.

    On the CF10 server the database is on a separate MS SQL server.  Our IT department set up permissions to allow the web server to "talk" to the database server and it works fine.

    We have shared file systems available.  I presume our IT people would also be able to let the web server talk to that drive?

    Currently the files are stored outside of the web directory, but on the same server.  I use this file to retrieve them from a link:

    <cfif fileexists('H:\scanned_files\#url.filename#.pdf')>

    <cfheader name="Content-disposition" value="attachment;filename=#url.filename#.pdf">

    <cfcontent file="H:\scanned_files\#url.filename#.pdf" deletefile="false">

    <cfelse>

    File not found...

    </cfif>

    Dave Ferguson
    Dave FergusonCorrect answer
    Participating Frequently
    February 26, 2015

    First, you should't be using a url var in a file path.  This leads to directory traversal attacks.

    Here is how you can make this work...

    • First, make sure CF is running as a specific user.  It should be already if the lockdown guid was followed.
    • Take the same credentials that CF is running as (user/password) and create an identical account on the server where the files are stored.
    • Create a share on the server to the files giving the CF user read permissions
    • Change your code to use a UNC path to get to the file.

    <cfset fileName = url.filename>

    <!--- validate that the filename field is in an expected format --->

    <!--- always use forward slashes for file paths.  That way if the code moves to a linux based server you don't have to change anything. --->

    <cfset fullPath = "//server/share/path/to/file/#filename.pdf">

    <cfif fileexists(fullPath)>

    <cfheader name="Content-disposition" value="attachment;filename=#fileName#.pdf">

    <cfcontent file="#fullPath#" deletefile="false">

    <cfelse>

    File not found...

    </cfif>

    HTH,

    --Dave

      B
      bloodbankerAuthor
      Known Participant
      February 26, 2015

      Is this possible?  If yes, could someone point me to some reference documents for this?  Also, if it's not possible, that would be great to hear also.

      Thank you

      H
      haxtbh
      Inspiring
      February 26, 2015

      Its not something you can natively do with out using some form of web service. For example we use Amazon S3 to store all our documents and images and use the built in S3 support in coldfusion to process them user side. This way you just pay for what you need too.

        B
        bloodbankerAuthor
        Known Participant
        February 26, 2015

        Okay, thanks.  That helps with our decision on how to progress.  We'll buy more webspace.

        As I mentioned all of the drives would be inhouse behind our firewall, I can't store these documents on Amazon.

        Surprisingly I can have a 1TB drive for free, but I need to pay (handsomely) for webspace.

        Firefly Community Gallery
        Adobe Firefly

        Remix with Firefly Community Gallery

        Thousands of free creations to fall in love with and remix in Firefly.

        Explore now
        Terms & ConditionsAccessibility statement
        Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices