Skip to main content
noble6
noble6
Participant
June 24, 2019
Question

Getting "Uploads with empty file extensions are not allowed" after ColdFusion 2018 Update 4

  • June 24, 2019
  • 4 replies
  • 3841 views

Greetings All,

After upgrading to update on ColdFusion 2018 I have been getting an error from cffile stating "Uploads with empty file extensions are not allowed". This has been isolated down in my code to an implementation of plupload which will do large file uploads via chunking.

When inspecting the headers plupload is changing the filename to "blob" which is stripping the file extension.

------WebKitFormBoundaryvA9v8ChjbTSXEt9w

Content-Disposition: form-data; name="file"; filename="blob"

Content-Type: application/octet-stream

Has anyone found a way to disable this check in ColdFusion or at least modify it to allow for the upload of files without extension? I have confirmed it was not present in CF 2018 update 3.

Regards,

    4 replies

    C
    China-Buy_com
    Inspiring
    June 11, 2025

    I know this thread is old,  but I've just struck a similar issue on a hosted CF2023 server. It happens periodically. One file gets uploaded no problem and another with exactly the same extension, similar size, will not. I tried the allowedExtensions="*" workaround and the file uploads, but it's sitting in the folder with a "blob1" extension and nothing can be done with it.

    V
    Community Manager
    vamsee_kCommunity Manager
    Community Manager
    July 17, 2019

    Hi,

    The check for empty extensions was added in the June update for 2018, 2016 and 11. It was done for security reasons, so unfortunately

    we cannot divulge any further details.

    Using empty file extensions when uploading files seemed rather uncommon, hence it was not mentioned in the release notes. Given that there is some usage (the plupload use-case), we can update the notes to include this change.

    The workaround is the same as the one already suggested in this forum thread i.e using allowedExtension="*". Ensure the files are uploaded to a non web-accessible directory.

    We will explore the suggestions given for a possible fix but cannot commit anything at this point.

    Thanks,

    Vamsee

    (Adobe CF Team)

      S
      Stewart
      Participating Frequently
      July 17, 2019

      Vamsee, thanks for the confirmation.  It would be good to document this new behavior and the workaround (with appropriate warnings) in the release notes. 

      --Stewart McGuire

      Charlie Arehart
      Community Expert
      Charlie ArehartCommunity Expert
      Community Expert
      July 14, 2019

      Are you sure you did not experience it in u3? I ask because that update SPECIFICALLY introduced changes regarding file uploads based on file extensions (due to a vulnerability I found and reported to Adobe in the weeks before it).

      And that update's technote (and my blog posts at the time, pointing to it) talked about the new means to control file uploads (primarily disabling uploads of server-executable extensions by default):

      https://www.carehart.org/blog/client/index.cfm/2019/3/1/urgent_CF_security_update_Part_1

      I don't recall any discussion of files with NO extension at all. That may be undefined behavior, or Adobe may have disabled them also in u3 or u4. I am not aware of any option to control "no extension", bur you should read the technotes to find out, starting with my post above.

      Let us know what you find out.

      /Charlie (troubleshooter, carehart. org)
      B
      bradwood.com
      Inspiring
      July 14, 2019

      Hi Charlie, I can't speak to the OP's update level but in my case, I have a client on CF11 who presumably started getting this after update 18 which included the fix for file extensions.  I too noticed that the release notes have no mention of this behavior specifically, however it does seem to be on purpose if you examine the stack trace:

      coldfusion.tagext.io.FileUtils$EmptyFileNameException: Uploads with empty file extensions are not allowed

      at coldfusion.tagext.io.FileUtils.checkisBlocked(FileUtils.java:999)

      at coldfusion.tagext.io.FileUtils.matchExtensions(FileUtils.java:962)

      at coldfusion.tagext.io.FileUtils.uploadFile(FileUtils.java:697)

      at coldfusion.tagext.io.FileTag.upload(FileTag.java:784)

      at coldfusion.tagext.io.FileTag.doStartTag(FileTag.java:357)

      at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:3011)

      The error is raised from inside a function called checkisBlocked() which seems to be part of the new security checks and the actual name of the exception subclass is "EmptyFileNameException" not to mention the error message itself specifically calls out the lack of extension.  So it does appear this was a conscience decision by Adobe.  However, I am a little puzzled by it since the lack of an extension would actually make it difficult (if not impossible) for hacker to use an extensionless file since it wouldn't be mapped to any web server handlers like .cfm or .php, etc.

      checkisBlocked(

        B
        bradwood.com
        Inspiring
        July 14, 2019

        A little update to this-- I just did some poking at CF11 and the specific check for a missing extension was actually added in update 19, NOT update 18.  This explains why my client just no noticed it.  This is very interesting since there is no mention at all of a change to the file extensions in the release notes for CF11's update 19.  It seems Adobe "snuck in" this breaking change.  So perhaps 2018's

        Update 4 is also where this behavior came in as well.  It appears the only way to get around this may be to set an allowed mimeType of * on the upload which is undesirable as it bypasses the security mechanism entirely!

        B
        bradwood.com
        Inspiring
        July 13, 2019

        Did you find an answer to this?

        Terms & ConditionsAccessibility statement
        Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices