• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

cffile

Explorer ,
Aug 02, 2018 Aug 02, 2018

Copy link to clipboard

Copied

Hi,

Sorry if this is a dumb question, I'm new to this.

I have a form where i want the user to be able to upload an image from a form.  for the cffile i'm using

<cfif len(trim(form.ImageData))>

  <cffile action="upload"

     fileField="ImageData"

     destination="\uploads"

     nameConflict = "MakeUnique">

</cfif>

it works locally when i input the specific directory on my hard drive but when i use the above online i get an access denied error and it looks like it's trying to save it locally on c:\uploads

on my ftp i created an upload folder but I don't know what the 'destination' field typically looks like when you are trying to use cffile on a live site.  What information do i need from my web host to make this work? Like, does it involve an ip address?  I'm thinking some kind of username and password will be required.  does cffile have username password field too?  Basically, what shoudl cffile look like when you're using it ion a  live site

Thanks,

MIke

Views

2.2K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

LEGEND , Aug 02, 2018 Aug 02, 2018

Here.. let's make this foolproof.  In your sites root folder, open the application.cfc, find the onRequestStart section and add the following:

<cfset rootPath = "#REreplaceNoCase(ExpandPath('./'),'(.+[\\|\/]mymindsnotright.com\www)(.)+','\1','all')#" />

This line will create a variable called rootPath, and no matter where in the folder structure the user goes, rootPath will always point to the root of the site.

Then, depending upon where in your site the uploads folder is, you append that flow to t

...

Votes

Translate

Translate
LEGEND ,
Aug 03, 2018 Aug 03, 2018

Copy link to clipboard

Copied

Any progress on this?  Has GoDaddy fixed this, yet? 

V/r,

^ _ ^

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Aug 05, 2018 Aug 05, 2018

Copy link to clipboard

Copied

I just spoke with technical support and they gave permisison to write to that folder so it works now!  Thank you sooo much for all your help.  I really, really appreciate it.  This has been bumming me out for the last few days thinking that this wouldn't work as it was a pretty important part of my website but It works now.  Thanks again.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 05, 2018 Aug 05, 2018

Copy link to clipboard

Copied

Great to hear. Please do pick some one of the answers as the "answer" so as to help future readers to understand what helped you (and would help others) to solve this.

null


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 06, 2018 Aug 06, 2018

Copy link to clipboard

Copied

Just to follow up on this a little bit: it looks like your uploads folder is web-accessible. This is potentially dangerous, as anyone who uploads a file can then execute that file if it's executable. So, be careful!

Dave Watts, Fig Leaf Software

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 06, 2018 Aug 06, 2018

Copy link to clipboard

Copied

I see that Charlie already mentioned this, now that I read the whole thread.

Dave Watts, Fig Leaf Software

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Aug 08, 2018 Aug 08, 2018

Copy link to clipboard

Copied

https://forums.adobe.com/people/Dave+Watts  wrote

Just to follow up on this a little bit: it looks like your uploads folder is web-accessible. This is potentially dangerous, as anyone who uploads a file can then execute that file if it's executable. So, be careful!

Dave Watts, Fig Leaf Software

It should be okay if the /uploads folder properties is set to not allow executables.

V/r,

^ _ ^

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 08, 2018 Aug 08, 2018

Copy link to clipboard

Copied

LATEST

Maybe, but what we think of as executables nowadays is broader than what servers do. Server-side scripts like CF, client-side stuff like JavaScript and CSS, document macros - that's all executable. If the form allows you to upload any of that stuff, bad things can happen. Obviously really bad things can happen with server-side scripts, but the other stuff can cause you problems of various sorts as well even though they can't explicitly execute on your server.

And if there's one thing that I've learned over twenty years of dealing with web security, it's that there are smarter people than me compromising web security. So, it's important for me at least to rely on things like defense in depth, because I can't predict all of the things that could go wrong. For example, not too long ago on these very forums, someone asked how to destroy and recreate session cookies when a user logs out of a site, as requested by his CSO. Someone else said, why bother? And that was my initial reaction as well. But it turns out, someone smarter than me figured out how to do something bad in that situation, which was why the recommendation to destroy session cookies at logout is a thing that exists now. I don't remember the specifics, but it's worth reading about.

This is not intended as a criticism of you or your response, WolfShade​ - it is entirely possible to adequately secure a public web folder that allows uploads. But it's harder, and it's not trivial, and problems with doing this can happen to any of us developing and deploying web content on untrusted networks.

Dave Watts, Fig Leaf Software

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 02, 2018 Aug 02, 2018

Copy link to clipboard

Copied

Aha. You wrote your replies (confirming that it still did not work) as I was writing and posting this. But yours showed up before mine, so I am tweaking this (after posting it) so it makes sense as you or others come across it.

So you said earlier that you're running this code on a hosted server. I suspect the problem is that CF is setup (on the host) to run as a user (the user running the CF service) which DOES NOT HAVE PERMISSION TO WRITE TO THE DIRECTORY you want to write to.

If you think about it, it’s not unusual for a host to want to limit what can be written to a folder that would then be accessible via the web (as you show in your desired url of  http:///www.mysite.com/uploads). There are good security reasons to not want to allow that. Or to require that some precautions be taken (such as scanning the file for viruses, etc.) before letting such a file be accessible.

And here is where often the desires of a hosting company clash with the desires of their clients. YOU may want to be able to allow uploads of files to a web-accessible directory, but THEY may not. And in that case, you’re in a pickle.

But CF has a solution for that: you can use the CFFILE action=”upload” to save the file somewhere that they tell you they ARE OK to write to, and then you could serve that to users using a tag like CFCONTENT, which can serve up a file as content back to the user. But since you are new to CF, I won’t elaborate on this here. There are lots of potential pitfalls and challenges in using CFCONTENT (to solve various desires for its use).

So first, do you really need to write to that web-accessible folder, after all? If not, the web host may be willing to set some other non-web-accessible folder that they'd be willing to let CF write to.

If you were in control of the server, you could also perhaps change the folder (you want to write to) so that it had permission to be written to by CF (by the CF page doing the file upload to that directory). But again you don't, and the host may not be willing to do that.

In either case, again, you need to consider taking precautions about what you are letting people upload and then "download". (Some also want to let person A upload a file that only person A can see. That also is something that can be better managed/controlled via code using CFCONTENT to serve up the file.)

So just beware: what you want to do is something to be cautious about, even if you can get it working.


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Aug 02, 2018 Aug 02, 2018

Copy link to clipboard

Copied

yeah i still get access denied.  if i call my web host, what should I ask them?  if there is a directory that can be written to I can use?  it is sounding like i'm out of luck in this case.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 02, 2018 Aug 02, 2018

Copy link to clipboard

Copied

Wycks, are you asking Wolf in reply to his note? or have you read mine? I tried to clarify what is likely the problem, and what your options seem to be.


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Aug 02, 2018 Aug 02, 2018

Copy link to clipboard

Copied

i just read yours I'm going to call and ask them if there is a folder that they allow me to write to

thanks both of you

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Aug 02, 2018 Aug 02, 2018

Copy link to clipboard

Copied

actually that's because there is no onrequeststart section

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Aug 02, 2018 Aug 02, 2018

Copy link to clipboard

Copied

Did you place that at the bottom of the application.cfc, or between the opening and closing tags for onRequestStart?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Aug 02, 2018 Aug 02, 2018

Copy link to clipboard

Copied

this is my whole application.cfc file

<cfcomponent>

<cfscript>

this.name = "MyMindsNotRight";

this.sessionmanagement = true;

</cfscript>

</cfcomponent>

<cffunction name="onRequestStart">

<cfset rootPath = "#REreplaceNoCase(ExpandPath('./'),'(.+[\\|\/]mymindsnotright.com\www)(.)+','\1','all')#" />

</cffunction>

i'm really sorry I'm very new at all this

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Aug 02, 2018 Aug 02, 2018

Copy link to clipboard

Copied

Are you using application.cfc, or application.cfm?

Remove that line from the application.cfc/cfm, place it at the top of the action page for the file upload.  It just won't be available to your whole site.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation