Hi Matt -
It's not clear (though I guess I could dissect the latest nightly in
the repository) if the fileUpload() function will first upload the
file to a temp, non-Web accessible directory and then move it to the
specified destination directory, or if it just uploads the file to the
destination directory.
This gets to the <cffile> upload issue that plagued a lot of Web sites
a couple of months ago, including Ben Forta's and House of Fusion,
where because they were allowing uploads but not first uploading them
to a non-Web accessible directory, hackers were able to request those
files in the milliseconds between upload and deletion the file once it
was determined to be malicious. I don't know if it's Mach-II's place
to worry about security and this particular issue, but it seems to me
that if the fileUpload() isn't taking this in to account, it's use
will be pretty curtailed by most people who use Mach-II. I know that I
wouldn't use it for just this security vulnerability.
brian
On Nov 16, 7:10 pm, Matthew Woodward <
m...@mattwoodward.com> wrote:
> I wanted to let everyone know that the <form:file> custom tag I mentioned a
> while ago is (or will be tonight) in the nightly builds. You can read more
> in the docs:
https://greatbiztoolsllc.trac.cvsdude.com/mach-ii/wiki/MachII1.8Speci...
>
> It's pretty straight-forward but I'd love it if some of our users could put
> it through its paces.
>
> Note that we wound up *not* appending _-_file_-_ on the end of the form
> field when the HTML is output. That was originally proposed because we were
> considering having the file be automatically uploaded, but we quickly
> decided that was a bad idea from a validation and security standpoint so
> it's no longer needed.
>
> There's still time to comment on syntax, etc. so if you don't like what you
> see, please speak up!
>
> Thanks.
>
> --
> Matthew Woodward
> m...@mattwoodward.comhttp://
mpwoodward.posterous.com