Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Go Back   Wrox Programmer Forums > Web Programming > JavaScript > Javascript How-To
Password Reminder
Register
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
Javascript How-To Ask your "How do I do this with Javascript?" questions here.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Javascript How-To section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Reply
 
Thread Tools Search this Thread Display Modes
  #11 (permalink)  
Old February 21st, 2007, 09:33 AM
Wrox Author
Points: 13,255, Level: 49
Points: 13,255, Level: 49 Points: 13,255, Level: 49 Points: 13,255, Level: 49
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Oct 2005
Location: Ohio, USA
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default

That statement is an example.

What he is saying is that, if a user comes to your site with the intent on executing malicious scripts and all you are doing to is checking the file exetension of the file with JavaScript to ensure it is ok to upload, this user could disable javascript in their browser and now could upload an ASP file to your upload directory.

If that code contained this script:

<%
  dim fs
  Set fs=Server.CreateObject("Scripting.FileSystemObject ")
  fs.DeleteFile("c:\SomeImportantFile.txt")
%>

It would potentially delete a file off of your C drive because all the user would have to do is navigate to the directory you upload files to, and execte the ASP file that he just uploaded and you are none the wiser that an asp script was uploaded. (Until you go looking for the important file that just got deleted off of your c drive.)

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from planoie's profile^^
^^Modified text taken from gbianchi profile^^
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html

Discussion:
http://p2p.wrox.com/topic.asp?TOPIC_ID=56429
Reply With Quote
  #12 (permalink)  
Old February 21st, 2007, 01:32 PM
Imar's Avatar
Wrox Author
Points: 72,055, Level: 100
Points: 72,055, Level: 100 Points: 72,055, Level: 100 Points: 72,055, Level: 100
Activity: 100%
Activity: 100% Activity: 100% Activity: 100%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,086
Thanks: 80
Thanked 1,587 Times in 1,563 Posts
Default

Yes, that was exactly what I was saying... Thanks... ;)

Imar
Reply With Quote
  #13 (permalink)  
Old February 21st, 2007, 02:06 PM
Wrox Author
Points: 13,255, Level: 49
Points: 13,255, Level: 49 Points: 13,255, Level: 49 Points: 13,255, Level: 49
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Oct 2005
Location: Ohio, USA
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default

No problem resident guru of everything that is Dreamweaver and ASP.NET 2.0 =]

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from planoie's profile^^
^^Modified text taken from gbianchi profile^^
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html

Discussion:
http://p2p.wrox.com/topic.asp?TOPIC_ID=56429
Reply With Quote
  #14 (permalink)  
Old February 24th, 2007, 09:15 AM
Friend of Wrox
 
Join Date: May 2005
Location: , , Norway.
Posts: 189
Thanks: 0
Thanked 0 Times in 0 Posts
Default

...but then I need a server side test to test if the client browser have enablede JavaScript on each step (page) of my web-app. At least after the file upload, but before the upload-response-page... puuuh !? And if not, the client is dismissed...

Mvh
grstad :)
Reply With Quote
  #15 (permalink)  
Old February 24th, 2007, 09:38 AM
Imar's Avatar
Wrox Author
Points: 72,055, Level: 100
Points: 72,055, Level: 100 Points: 72,055, Level: 100 Points: 72,055, Level: 100
Activity: 100%
Activity: 100% Activity: 100% Activity: 100%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,086
Thanks: 80
Thanked 1,587 Times in 1,563 Posts
Default

No, you don't have to do that. What you need to do is check the uploaded file at the server before you save it. How you do this depends on the server side technology you're using. For example, in ASP.NET with C# you could so something like this:
Code:
if (FileUpload1.PostedFile.FileName.EndsWith(".jpg"))
{
  FileUpload1.SaveAs(SomePath);
}
else
{
  throw new Exception("Can't save files other than .jpg");
}
Instead of throwing an exception you could explain the user what went wrong.

If you're only allowing images, you could even try to load the image into an Image object wit GDI+ to ensure that the file really contains a readable image.

Cheers,

Imar
---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
While typing this post, I was listening to: Tragedy (For You) [12" Vox] by Front 242 (Track 1 from the album: Tragedy (For You)) What's This?
Reply With Quote
  #16 (permalink)  
Old February 24th, 2007, 04:48 PM
Friend of Wrox
 
Join Date: May 2005
Location: , , Norway.
Posts: 189
Thanks: 0
Thanked 0 Times in 0 Posts
Default

...Imar, With ASP 3.0

Can you comment this;

<%
dim a
a = File.Filename

      if instr(a,".gif") Then
    else
      'some err msg
      End if
%>

Mvh
grstad
Reply With Quote
  #17 (permalink)  
Old February 24th, 2007, 08:25 PM
Imar's Avatar
Wrox Author
Points: 72,055, Level: 100
Points: 72,055, Level: 100 Points: 72,055, Level: 100 Points: 72,055, Level: 100
Activity: 100%
Activity: 100% Activity: 100% Activity: 100%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,086
Thanks: 80
Thanked 1,587 Times in 1,563 Posts
Default

What do you mean with "comment this"? Are you asking me if this is secure? I don't know what File is but I know this isn't secure:

   if instr(a,".gif") Then

as it allows a file called SomeFile.gif.asp to pass.....

Imar
---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.
Reply With Quote
  #18 (permalink)  
Old March 10th, 2007, 09:22 AM
Friend of Wrox
 
Join Date: May 2005
Location: , , Norway.
Posts: 189
Thanks: 0
Thanked 0 Times in 0 Posts
Default

...Imar, can your C# validation be incorporated into this (which is part of the upload-prosedure cut/paste from the net);


<%
    Public Sub SaveToDisk(sPath)
        Dim oFS, oFile
        Dim nIndex

If sPath = "" Or FileName = "" Then Exit Sub
        If Mid(sPath, Len(sPath)) <> "\" Then sPath = sPath & "\"

        Set oFS = Server.CreateObject("Scripting.FileSystemObject")
        If Not oFS.FolderExists(sPath) Then Exit Sub

        Set oFile = oFS.CreateTextFile(sPath & FileName, True)

        For nIndex = 1 to LenB(FileData)
            oFile.Write Chr(AscB(MidB(FileData,nIndex,1)))
        Next

        oFile.Close
    End Sub

    Public Sub SaveToDatabase(ByRef oField)
        If LenB(FileData) = 0 Then Exit Sub

        If IsObject(oField) Then
            oField.AppendChunk FileData
        End If
    End Sub
%>

Mvh
grstad
Reply With Quote
  #19 (permalink)  
Old March 10th, 2007, 09:27 AM
Imar's Avatar
Wrox Author
Points: 72,055, Level: 100
Points: 72,055, Level: 100 Points: 72,055, Level: 100 Points: 72,055, Level: 100
Activity: 100%
Activity: 100% Activity: 100% Activity: 100%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,086
Thanks: 80
Thanked 1,587 Times in 1,563 Posts
Default

Again, I don't understand what you're asking.

Obviously, you can't incorporate C# in a VB Script, but I don't think that's what you're asking....

Can you elaborate?

Imar
---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.
Reply With Quote
  #20 (permalink)  
Old March 10th, 2007, 09:40 AM
Friend of Wrox
 
Join Date: May 2005
Location: , , Norway.
Posts: 189
Thanks: 0
Thanked 0 Times in 0 Posts
Default

...this code;

<%
    Public Sub SaveToDisk(sPath)
        Dim oFS, oFile
        Dim nIndex

If sPath = "" Or FileName = "" Then Exit Sub
        If Mid(sPath, Len(sPath)) <> "\" Then sPath = sPath & "\"

        Set oFS = Server.CreateObject("Scripting.FileSystemObject")
        If Not oFS.FolderExists(sPath) Then Exit Sub

        Set oFile = oFS.CreateTextFile(sPath & FileName, True)

        For nIndex = 1 to LenB(FileData)
            oFile.Write Chr(AscB(MidB(FileData,nIndex,1)))
        Next

        oFile.Close
    End Sub

    Public Sub SaveToDatabase(ByRef oField)
        If LenB(FileData) = 0 Then Exit Sub

        If IsObject(oField) Then
            oField.AppendChunk FileData
        End If
    End Sub
%>


...is part of a file I have included into my app. The file is all taken from the net.

Would it not be possible to validate the file extension (.jpeg, .gif) within the script-line or in corporation with;

      If sPath = "" Or FileName = "" Then Exit Sub

..?

Mvh
grstad
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Filter File Types in ASP.NET File Upload ramuis78 ASP.NET 2.0 Basics 2 May 31st, 2007 10:50 AM
How do I validate file input? grstad Classic ASP Professional 1 February 18th, 2007 08:45 PM
Whole Folder upload(Multi file Upload) ramasamy_rams XML 1 September 9th, 2005 12:43 PM
How to validate aspx file with xhtml 1.0 rishikantsinha .NET Framework 2.0 0 November 22nd, 2004 07:28 AM
validate file name.. gbianchi Pro VB 6 6 July 24th, 2003 06:48 AM



All times are GMT -4. The time now is 05:58 AM.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.