In short, I want to allowusers to uploadimagesfrom a localcomputerorurl. So, what's the best aproach to secure my application, more specifically to block all file extensions except those in white list. I do not want to rely on mime type simply because it can be easily faked and offer false sense of security.
I would like to pass data with jquery, the code would look something like this
$.ajax({
url: "cfc/uploadImg.cfc",
dataType: 'JSON',
data: {
method : 'uploadImages',
returnformat : 'JSON',
post: $("#title").val(),
img: $("#image").val(),
},
success: function(data) {
/*shows error msg*/
alert(data);
}
});
});
uploadImg.cfc
some validation
.
.
.
and then something like this
<cftry>
<cffile action="upload" filefield="arguments.img" destination="#GetTempDirectory()#" nameconflict="makeunique"
<cfif NOT ListFindNoCase("jpg,png",CFFILE.ServerFileExt)>
<cfset errorMsg = "wrong file extension..."
<cftry>
<cffile action="delete" file="#CFFILE.ServerDirectory#\#CFFILE.ServerFile#">
<cfcatch>
</cfcatch>
</cftry>
</cftry>
I know that this method alsois notbulletproof, so what do you suggest?