upload from local or url, the most secure file extension check

Question

In short, I want to allow users to upload images from a local computer or url. So, what's the best aproach to secure my application, more specifically to block all file extensions except those in white list. I do not want to rely on mime type simply because it can be easily faked and offer false sense of security.

I would like to pass data with jquery, the code would look something like this

$.ajax({

url: "cfc/uploadImg.cfc",

dataType: 'JSON',

data: {

method : 'uploadImages',

returnformat : 'JSON',

post: $("#title").val(),

img: $("#image").val(),

},

success: function(data) {

/*shows error msg*/

alert(data);

}

});

uploadImg.cfc

some validation

.

and then something like this

<cftry>

<cffile action="upload" filefield="arguments.img" destination="#GetTempDirectory()#" nameconflict="makeunique"

<cfset errorMsg = "wrong file extension..."

<cftry>

</cfcatch>

</cftry>

I know that this method also is not bulletproof, so what do you suggest?

p_sim · Answer

Besides checking the file extension, you could add another layer of security by using IsImageFile(). It supports:

JPEG
GIF
TIFF
PNG
BMP

http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7978.html

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded