Wrox Programmer Forums
Go Back   Wrox Programmer Forums > Web Programming > JavaScript > Javascript How-To
| Search | Today's Posts | Mark Forums Read
Javascript How-To Ask your "How do I do this with Javascript?" questions here.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Javascript How-To section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
  #11 (permalink)  
Old February 21st, 2007, 09:33 AM
Wrox Author
Points: 13,255, Level: 49
Points: 13,255, Level: 49 Points: 13,255, Level: 49 Points: 13,255, Level: 49
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Oct 2005
Location: Ohio, USA
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default

That statement is an example.

What he is saying is that, if a user comes to your site with the intent on executing malicious scripts and all you are doing to is checking the file exetension of the file with JavaScript to ensure it is ok to upload, this user could disable javascript in their browser and now could upload an ASP file to your upload directory.

If that code contained this script:

<%
  dim fs
  Set fs=Server.CreateObject("Scripting.FileSystemObject ")
  fs.DeleteFile("c:\SomeImportantFile.txt")
%>

It would potentially delete a file off of your C drive because all the user would have to do is navigate to the directory you upload files to, and execte the ASP file that he just uploaded and you are none the wiser that an asp script was uploaded. (Until you go looking for the important file that just got deleted off of your c drive.)

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from planoie's profile^^
^^Modified text taken from gbianchi profile^^
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html

Discussion:
http://p2p.wrox.com/topic.asp?TOPIC_ID=56429
  #12 (permalink)  
Old February 21st, 2007, 01:32 PM
Imar's Avatar
Wrox Author
Points: 70,322, Level: 100
Points: 70,322, Level: 100 Points: 70,322, Level: 100 Points: 70,322, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default

Yes, that was exactly what I was saying... Thanks... ;)

Imar
  #13 (permalink)  
Old February 21st, 2007, 02:06 PM
Wrox Author
Points: 13,255, Level: 49
Points: 13,255, Level: 49 Points: 13,255, Level: 49 Points: 13,255, Level: 49
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Oct 2005
Location: Ohio, USA
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default

No problem resident guru of everything that is Dreamweaver and ASP.NET 2.0 =]

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from planoie's profile^^
^^Modified text taken from gbianchi profile^^
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html

Discussion:
http://p2p.wrox.com/topic.asp?TOPIC_ID=56429
  #14 (permalink)  
Old February 24th, 2007, 09:15 AM
Friend of Wrox
 
Join Date: May 2005
Location: , , Norway.
Posts: 189
Thanks: 0
Thanked 0 Times in 0 Posts
Default

...but then I need a server side test to test if the client browser have enablede JavaScript on each step (page) of my web-app. At least after the file upload, but before the upload-response-page... puuuh !? And if not, the client is dismissed...

Mvh
grstad :)
  #15 (permalink)  
Old February 24th, 2007, 09:38 AM
Imar's Avatar
Wrox Author
Points: 70,322, Level: 100
Points: 70,322, Level: 100 Points: 70,322, Level: 100 Points: 70,322, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default

No, you don't have to do that. What you need to do is check the uploaded file at the server before you save it. How you do this depends on the server side technology you're using. For example, in ASP.NET with C# you could so something like this:
Code:
if (FileUpload1.PostedFile.FileName.EndsWith(".jpg"))
{
  FileUpload1.SaveAs(SomePath);
}
else
{
  throw new Exception("Can't save files other than .jpg");
}
Instead of throwing an exception you could explain the user what went wrong.

If you're only allowing images, you could even try to load the image into an Image object wit GDI+ to ensure that the file really contains a readable image.

Cheers,

Imar
---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
While typing this post, I was listening to: Tragedy (For You) [12" Vox] by Front 242 (Track 1 from the album: Tragedy (For You)) What's This?
  #16 (permalink)  
Old February 24th, 2007, 04:48 PM
Friend of Wrox
 
Join Date: May 2005
Location: , , Norway.
Posts: 189
Thanks: 0
Thanked 0 Times in 0 Posts
Default

...Imar, With ASP 3.0

Can you comment this;

<%
dim a
a = File.Filename

      if instr(a,".gif") Then
    else
      'some err msg
      End if
%>

Mvh
grstad
  #17 (permalink)  
Old February 24th, 2007, 08:25 PM
Imar's Avatar
Wrox Author
Points: 70,322, Level: 100
Points: 70,322, Level: 100 Points: 70,322, Level: 100 Points: 70,322, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default

What do you mean with "comment this"? Are you asking me if this is secure? I don't know what File is but I know this isn't secure:

   if instr(a,".gif") Then

as it allows a file called SomeFile.gif.asp to pass.....

Imar
---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.
  #18 (permalink)  
Old March 10th, 2007, 09:22 AM
Friend of Wrox
 
Join Date: May 2005
Location: , , Norway.
Posts: 189
Thanks: 0
Thanked 0 Times in 0 Posts
Default

...Imar, can your C# validation be incorporated into this (which is part of the upload-prosedure cut/paste from the net);


<%
    Public Sub SaveToDisk(sPath)
        Dim oFS, oFile
        Dim nIndex

If sPath = "" Or FileName = "" Then Exit Sub
        If Mid(sPath, Len(sPath)) <> "\" Then sPath = sPath & "\"

        Set oFS = Server.CreateObject("Scripting.FileSystemObject")
        If Not oFS.FolderExists(sPath) Then Exit Sub

        Set oFile = oFS.CreateTextFile(sPath & FileName, True)

        For nIndex = 1 to LenB(FileData)
            oFile.Write Chr(AscB(MidB(FileData,nIndex,1)))
        Next

        oFile.Close
    End Sub

    Public Sub SaveToDatabase(ByRef oField)
        If LenB(FileData) = 0 Then Exit Sub

        If IsObject(oField) Then
            oField.AppendChunk FileData
        End If
    End Sub
%>

Mvh
grstad
  #19 (permalink)  
Old March 10th, 2007, 09:27 AM
Imar's Avatar
Wrox Author
Points: 70,322, Level: 100
Points: 70,322, Level: 100 Points: 70,322, Level: 100 Points: 70,322, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default

Again, I don't understand what you're asking.

Obviously, you can't incorporate C# in a VB Script, but I don't think that's what you're asking....

Can you elaborate?

Imar
---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.
  #20 (permalink)  
Old March 10th, 2007, 09:40 AM
Friend of Wrox
 
Join Date: May 2005
Location: , , Norway.
Posts: 189
Thanks: 0
Thanked 0 Times in 0 Posts
Default

...this code;

<%
    Public Sub SaveToDisk(sPath)
        Dim oFS, oFile
        Dim nIndex

If sPath = "" Or FileName = "" Then Exit Sub
        If Mid(sPath, Len(sPath)) <> "\" Then sPath = sPath & "\"

        Set oFS = Server.CreateObject("Scripting.FileSystemObject")
        If Not oFS.FolderExists(sPath) Then Exit Sub

        Set oFile = oFS.CreateTextFile(sPath & FileName, True)

        For nIndex = 1 to LenB(FileData)
            oFile.Write Chr(AscB(MidB(FileData,nIndex,1)))
        Next

        oFile.Close
    End Sub

    Public Sub SaveToDatabase(ByRef oField)
        If LenB(FileData) = 0 Then Exit Sub

        If IsObject(oField) Then
            oField.AppendChunk FileData
        End If
    End Sub
%>


...is part of a file I have included into my app. The file is all taken from the net.

Would it not be possible to validate the file extension (.jpeg, .gif) within the script-line or in corporation with;

      If sPath = "" Or FileName = "" Then Exit Sub

..?

Mvh
grstad




Similar Threads
Thread Thread Starter Forum Replies Last Post
Filter File Types in ASP.NET File Upload ramuis78 ASP.NET 2.0 Basics 2 May 31st, 2007 10:50 AM
How do I validate file input? grstad Classic ASP Professional 1 February 18th, 2007 08:45 PM
Whole Folder upload(Multi file Upload) ramasamy_rams XML 1 September 9th, 2005 12:43 PM
How to validate aspx file with xhtml 1.0 rishikantsinha .NET Framework 2.0 0 November 22nd, 2004 07:28 AM
validate file name.. gbianchi Pro VB 6 6 July 24th, 2003 06:48 AM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.