Skip to main content
I
iccsi
Inspiring
September 7, 2013
Question

get attachment directory

  • September 7, 2013
  • 2 replies
  • 981 views

I want to user to upload attachement to my upload directory like following

C:\inetpub\wwwroot\MySite\Test\uploadFile

<cfset strPath = ExpandPath( "./" ) />

<cfset strPath = GetDirectoryFromPath(GetCurrentTemplatePath())  />

<cfoutput> #strPath#</cfoutput>

I use above code which gives me the following path.

C:\inetpub\wwwroot\MySite\Test\

Are there any way to add \uploadFile to the return path?

Your help and information is great appreciated,

regards,

Iccsi,

    This topic has been closed for replies.

    2 replies

    Carl Von Stetten
    Carl Von Stetten
    Legend
    September 9, 2013

    iccsi,

    I'd strongly recommend not allowing files to be uploaded anywhere inside of your web root (i.e.: inside "\inetpub\wwwroot").  This is a major security hole and attack vector.  It would allow malicious users to upload executable files or scripts and subsequently execute them from the browser.


    Always upload to a folder outside your web root, validate what was uploaded, then move to a folder inside the webroot ***if appropriate***.
    -Carl V.
    I
    iccsiAuthor
    Inspiring
    September 9, 2013

    Thanks for the information,

    I use accept to only allow pdf, doc, xls files to upload.

    Can I upload to any physic diretory what I specify using ColdFusion for C:\MyTempDiretory?

    If so, user still be able to upload malicious code to tempdirectory as well.

    I think that the solution is to limit the file types to upload and prohibit folder files to excute.

    Thanks again for helping,

    Regards,

    Iccsi,

    Carl Von Stetten
    Carl Von Stetten
    Legend
    September 9, 2013

    Depending on the version of CF you are using, the "allow" filtering may not be adequate.  It is easy to spoof this by merely changing the extension of a file to appear to be a pdf, doc, xls file.  CF10 did add the ability to actually check the mime type of upoaded files to validate them, which does improve the security of uploads.

    Regardless, uploading directly to a folder within the web root violates web development best practices, regardless of whether you are using ColdFusion or any other server-side programming technology.

    -Carl V.

    J
    jfb00
    Inspiring
    September 9, 2013

    I usually manage this in my application.cfc in onApplicationStart function, example:

    <cfscript>

    var varAppDrive = listFirst(cgi.path_translated, ":");

    application.upload_folder =  varAppDrive & ":\inetpub\wwwroot\MySite\Test\uploadFile";

    </cfscript>

    In the app you can use:

    <cfset strPath = application.upload_folder />

    <cfoutput> #strPath#</cfoutput>

    I hope this help.

    Best,

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices