Shaun Mccran

My digital playground

11
M
A
Y
2011

Handling CFfile upload 'accept' file type errors

Posted By : Shaun McCran
Related Categories: Coldfusion, Best practices, File Interactions

I was working on a system recently that allowed a user to upload images onto the server. It was restricted to files types of images, more specifically 'jpeg' and 'gif' files.

This is easily done with the 'accept' parameter, as documented in the ColdFusion documentation:

view plain print about
1Accept:
2
3Limits the MIME types to accept. Comma-delimited list. For example, the following code permits JPEG and Microsoft Word file uploads:
4accept = "image/jpg, application/msword"
5
6The browser uses the file extension to determine file type.

It is important to note here that it is the browser uses the file extension, so renaming an exe to jpg would fool it entirely.

Issues arise when you don't handle an invalid file upload in a friendly manner. In this case when a user tried to upload an incorrect file type they saw a nasty unformatted error message stating that the request could not be processed as the file was the wrong Mime type.

You cannot tell what the file type is until you attempt to upload it, so wrap your cffile tags in a simple try-catch and handle any errors in the same fashion as you normally would, I.E. by handling the system message and instead displaying a nice, user friendly message that doesn't sound like it was written by robots.

view plain print about
1<cftry>
2
3<cffile action="upload" destination="#request.uploadPath#" fileField="form.new_image" accept="image/jpeg, image/gif" nameConflict="overwrite">
4
5<cfcatch>
6
7    <cfset attributes.errors.type = 'error'>
8    <cfset attributes.errors.message = "The type of file you have tried to upload is not allowed, please select a jpg or gif.">
9    <cfset request.continue = false>
10
11</cfcatch>
12
13</cftry>

Comments Comments (10) | Send Send | del.ico.us del.icio.us | Digg It! Digg It! | Linking Blogs Linking Blogs |
Answer Questions
TweetBacks
Comments (Comment Moderation is enabled. Your comment will not appear until approved.)
[Add Comment] [Subscribe to Comments]
Andreas Schuldhaus's Gravatar Just a tip. You should also narrow down the error to a mime type error to prevent showing the mime type message regardless of the exception thrown by cffile. This can be done with

cfif FindNoCase("not accepted", cfcatch.Message).

Since there are some known issues with the accept attribute of cffile (which are in fact browser issues - Firefox needs "application/upload" for .PDF's, IE expects its own jpeg mime type) and it can be fooled easily by renaming the file extension, I prefer checking the extension myself. That doesn't make it more secure, but easier to implement.

Andreas Schuldhaus
# Posted By Andreas Schuldhaus | 11/05/2011 13:02
Shaun McCran's Gravatar Hi Andreas,
That's a good tip, I was more surprised to find that you can't do much pre-processing on the file before you try the upload.

You are right tho, its is very easy to spoof the file type, so you shouldn't just rely on the extension to validate it.
# Posted By Shaun McCran | 11/05/2011 14:13
James Moberg's Gravatar Lots of good information regarding CFFile is available here:
http://www.coldfusionjedi.com/index.cfm/2007/10/12...

I've also been adding functions like isPDF(), isImage() & isXML() to verify whether the uploaded files can be read correctly by ColdFusion in case the scripts need to modify them later (read, resize, watermark).
# Posted By James Moberg | 11/05/2011 14:20
Shaun McCran's Gravatar Hi James,

That is a good article by Ray, he goes into the process quite a lot there.

That's quite a good idea having a library of validators to check the files more thoroughly. You could almost run a pre upload routine where the file was uploaded into a secure location, validated and then just moved.
# Posted By Shaun McCran | 11/05/2011 14:27
Shaun's Gravatar Also discovered that the mime types are read totally differently in various browsers, for example accept="image/jpeg, image/gif" is fine for Firefox and Chrome, but throws an error in IE.

Using accept="image/*" seems to validate all image mime types.
# Posted By Shaun | 18/05/2011 22:29
compare car insurance in the USA's Gravatar It is a great website and nice share. I want to thank you. Good job! You guys do a great blog, and have some great contents. Keep up the good work!
# Posted By compare car insurance in the USA | 14/12/2015 21:32
Assistant Information's Gravatar I basically need to tell you that I am new to weblog and absolutely delighted in this site page...
# Posted By Assistant Information | 22/12/2015 21:16
jaipur to ajmer taxi's Gravatar ep ! Slumdog Millionarie had gone great guns all over the oscars at the 2008 event. The cast and crew worked for this film had lot of debutants and the key aspect for the grand success of the film is none other than Rehman's music composition. Thanks for the share.
# Posted By jaipur to ajmer taxi | 30/12/2015 02:32
buy targeted traffic's Gravatar I think this is one of the most significant information for me.And i am glad reading your article. But want to remark on some general things, The website style is ideal, the articles is really excellent...
# Posted By buy targeted traffic | 09/01/2016 21:33
jaipur to ajmer taxi's Gravatar But want to remark on some general things, The website style is ideal, the articles is really excellent...
# Posted By jaipur to ajmer taxi | 10/01/2016 00:01
[Add Comment]
Back to top
Subscribe
Enter your email address to subscribe to this blog.


Associated links