Re: Multipart Form - Ascertain File Type
This WebDNA talk-list message is from 2007
It keeps the original formatting.
numero = 68741
interpreted = N
texte = Ok, you guys have definitely given me something to think about. Knowingthat I don't necessarily have the ability to determine the differencebetween a text file and a potential virus changes my plans a bit. I've beenusing this process for our intranet, which wasn't an issue. But we'reconsidering opening this capability up to some clients. Not sure it'sreally that safe now.Gary, if you happen to locate the template you mentioned, could you pleaseemail it to me at tana@volleyhut.com? I'd really appreciate it. I canstill use that capability for our intranet.Thanks so much for all your responses. They were very helpful.Tana----------------------------------Gary Krockover wrote:If you have the default install of WebDNA on your server, take a look atthe file /admin/upload_multiphotos2.tplIt shows you how to distinguish between a .jpg and a .gif file.I've used that basic file to figure out the file extensions. However beaware that just because the file says it's a .txt does not actually meanit IS a txt.For image validation I sometimes run the .gif or .jpg throughImageMagic. If a real image is created then it was an image file. Butif this is an open form for all web visitor you will have to test thevalidity somehow. If this is for your customers, well, you *should* beable to trust them, right?--Matthew A PerosiPsi Prime, Inc.http://www.psiprime.com323 Union Blvd.Totowa, NJ 07512P: 973.225.9870F: 973.413.8217----------------------------------Gary Krockover wrote:Was it Dan Strong's template....not sure, but there's a template floatingaround that let's you set some variables; one of them being the fileextension that it will accept for an upload. I'll see if I can find a copyof that somewhere.If you need to verify the type of file after it's been uploaded and then dosomething with it if it isn't what it says it is, then you'll need someother mojo for that of course.GJK----------------------------------John Peacock wrote:AFAICT, this is impossible to do on the front end. In other words, themultipart MIME upload doesn't have any mechanism to validate the filecontents when uploaded. That doesn't mean you can't validate the fileafter the fact, and simply delete anything that doesn't meet whatevercriteria you like (too large, not a JPEG, not named .txt, etc).Be aware that trying to determine what the file contains using only thefilename (especially extension) is fraught with danger and pitfalls.One of the results of M$loth's infinite stupidity is the constant issuewith e-mail attachments of the form innocuous_file.txt.exe, which basedon default (read: STUPID) Windows default is displayed asinnocuous_file.txtwhen in actuality, it is a worm/virus/rootkit...John--John PeacockDirector of Information Research and TechnologyRowman & Littlefield Publishing Group4501 Forbes BoulevardSuite HLanham, MD 20706301-459-3366 x.5010fax 301-429-5748-----Original Message-----From: Tana Adams [mailto:tana@volleyhut.com]Sent: Friday, March 30, 2007 11:09 AMTo: WebDNA TalkSubject: Multipart Form - Ascertain File TypeHi,I was wondering if anyone knew how to ascertain what type of file was beinguploaded when using a multipart form. I'm trying to create a file uploadthat will only allow a .txt file to be uploaded. I've tried to ascertainthe file type coming in using the formvariables context but it doesn't seemto work. The form works fine...files uploading without problem. Doesanyone have any ideas?Thank you,Tana-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list
.To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/
Associated Messages, from the most recent to the oldest:
Ok, you guys have definitely given me something to think about. Knowingthat I don't necessarily have the ability to determine the differencebetween a text file and a potential virus changes my plans a bit. I've beenusing this process for our intranet, which wasn't an issue. But we'reconsidering opening this capability up to some clients. Not sure it'sreally that safe now.Gary, if you happen to locate the template you mentioned, could you pleaseemail it to me at tana@volleyhut.com? I'd really appreciate it. I canstill use that capability for our intranet.Thanks so much for all your responses. They were very helpful.Tana----------------------------------Gary Krockover wrote:If you have the default install of WebDNA on your server, take a look atthe file /admin/upload_multiphotos2.tplIt shows you how to distinguish between a .jpg and a .gif file.I've used that basic file to figure out the file extensions. However beaware that just because the file says it's a .txt does not actually meanit IS a txt.For image validation I sometimes run the .gif or .jpg throughImageMagic. If a real image is created then it was an image file. Butif this is an open form for all web visitor you will have to test thevalidity somehow. If this is for your customers, well, you *should* beable to trust them, right?--Matthew A PerosiPsi Prime, Inc.http://www.psiprime.com323 Union Blvd.Totowa, NJ 07512P: 973.225.9870F: 973.413.8217----------------------------------Gary Krockover wrote:Was it Dan Strong's template....not sure, but there's a template floatingaround that let's you set some variables; one of them being the fileextension that it will accept for an upload. I'll see if I can find a copyof that somewhere.If you need to verify the type of file after it's been uploaded and then dosomething with it if it isn't what it says it is, then you'll need someother mojo for that of course.GJK----------------------------------John Peacock wrote:AFAICT, this is impossible to do on the front end. In other words, themultipart MIME upload doesn't have any mechanism to validate the filecontents when uploaded. That doesn't mean you can't validate the fileafter the fact, and simply delete anything that doesn't meet whatevercriteria you like (too large, not a JPEG, not named .txt, etc).Be aware that trying to determine what the file contains using only thefilename (especially extension) is fraught with danger and pitfalls.One of the results of M$loth's infinite stupidity is the constant issuewith e-mail attachments of the form innocuous_file.txt.exe, which basedon default (read: STUPID) Windows default is displayed asinnocuous_file.txtwhen in actuality, it is a worm/virus/rootkit...John--John PeacockDirector of Information Research and TechnologyRowman & Littlefield Publishing Group4501 Forbes BoulevardSuite HLanham, MD 20706301-459-3366 x.5010fax 301-429-5748-----Original Message-----From: Tana Adams [mailto:tana@volleyhut.com]Sent: Friday, March 30, 2007 11:09 AMTo: WebDNA TalkSubject: Multipart Form - Ascertain File TypeHi,I was wondering if anyone knew how to ascertain what type of file was beinguploaded when using a multipart form. I'm trying to create a file uploadthat will only allow a .txt file to be uploaded. I've tried to ascertainthe file type coming in using the formvariables context but it doesn't seemto work. The form works fine...files uploading without problem. Doesanyone have any ideas?Thank you,Tana-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/
"Tana Adams"
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Changes to the List (1997)
Passing WebCat Vars with Javascript (2000)
Sendmail and attachments? (1998)
WebCommerce: Folder organization ? (1997)
AOL Sux and Other Thoughts (2000)
[WebDNA] v7 with SSL (2012)
Here's how to kill a Butler Database. (1997)
wierd [cart] action! (1997)
Emailer setup (1997)
mysql errors (2005)
Re:2nd WebCatalog2 Feature Request (1996)
WebCat2b13MacPlugIn - syntax to convert date (1997)
[date] formatting bug inside [orderfile]? (1998)
Trigger: Only on Saturday (2001)
PIXO (1997)
[WebDNA] Dreamweaver Tag Libraries and Snippets (2010)
Separate SSL Server (1997)
WC2b15 - [HTMLx]...[/HTMLx] problems (1997)
Multiple cart additions (1997)
WebMerchant 1.6 and SHTML (1997)