Hi everyone. My company has been hit with 3 viruses in the last few months and we think it's because of some attachments employees are clicking on and opening. We have a quote page on our web site form that allows users to attach files that get sent to our quote email address. The form does not prevent certain attachments from being uploaded and attached and sent to the email though. Does anyone know how to prevent certain file extension attachments to not be allowed to be sent from a form in Cold Fusion? I would probably want to prevent .exe, .zip, etc. files for sure. Thanks.
To my knowledge, there is no way to "blacklist" file extensions, but you can specify what filetypes are allowed if you are using CFFILE to upload the files to the server. The link goes to the Adobe Help page for CFFILE.
UPDATE: Also, if you communicate with the server admin, you can set up a folder specifically for uploading the files to and set the folder permissions to NOT allow execution of any file. This will automatically prevent an infected file from infecting the system. You can then scan the file for virii and delete it if it's infected, before moving it elsewhere.
Thanks! This works, but I'm not sure if we're going to want to limit ourselves on every file we receive. We receive some odd ones sometimes that are legitimate that we need to open.
In that case, you could forget about the accept parameter and just upload the file to a folder that has no execution privileges - this should be huge in helping to prevent the virus transmission.
If the server doesn't automatically scan all uploaded files, I'm not sure if CF has anything that could scan.
On the subject of virus scanning, if you can't configure virus scanning software to do on-demand scanning of upload folder(s), then you might be able to programmatically initiate a scan of the uploaded file after the <cffile> operation by using <cfexecute> and calling the virus scanner via command-line parameters.
That's a great idea, as long as the security isn't screwed down so tight that CFEXECUTE isn't allowed to run.