 |
Javascript How-To Ask your "How do I do this with Javascript?" questions here. |
Welcome to the p2p.wrox.com Forums.
You are currently viewing the Javascript How-To section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
|
|
|

February 21st, 2007, 09:33 AM
|
Wrox Author
|
|
Join Date: Oct 2005
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
|
|
That statement is an example.
What he is saying is that, if a user comes to your site with the intent on executing malicious scripts and all you are doing to is checking the file exetension of the file with JavaScript to ensure it is ok to upload, this user could disable javascript in their browser and now could upload an ASP file to your upload directory.
If that code contained this script:
<%
dim fs
Set fs=Server.CreateObject("Scripting.FileSystemObject ")
fs.DeleteFile("c:\SomeImportantFile.txt")
%>
It would potentially delete a file off of your C drive because all the user would have to do is navigate to the directory you upload files to, and execte the ASP file that he just uploaded and you are none the wiser that an asp script was uploaded. (Until you go looking for the important file that just got deleted off of your c drive.)
================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from planoie's profile^^
^^Modified text taken from gbianchi profile^^
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html
Discussion:
http://p2p.wrox.com/topic.asp?TOPIC_ID=56429
|

February 21st, 2007, 01:32 PM
|
 |
Wrox Author
|
|
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
|
|
Yes, that was exactly what I was saying... Thanks... ;)
Imar
|

February 24th, 2007, 09:15 AM
|
Friend of Wrox
|
|
Join Date: May 2005
Posts: 189
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
...but then I need a server side test to test if the client browser have enablede JavaScript on each step (page) of my web-app. At least after the file upload, but before the upload-response-page... puuuh !? And if not, the client is dismissed...
Mvh
grstad :)
|

February 24th, 2007, 09:38 AM
|
 |
Wrox Author
|
|
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
|
|
No, you don't have to do that. What you need to do is check the uploaded file at the server before you save it. How you do this depends on the server side technology you're using. For example, in ASP.NET with C# you could so something like this:
Code:
if (FileUpload1.PostedFile.FileName.EndsWith(".jpg"))
{
FileUpload1.SaveAs(SomePath);
}
else
{
throw new Exception("Can't save files other than .jpg");
}
Instead of throwing an exception you could explain the user what went wrong.
If you're only allowing images, you could even try to load the image into an Image object wit GDI+ to ensure that the file really contains a readable image.
Cheers,
Imar
---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
While typing this post, I was listening to: Tragedy (For You) [12" Vox] by Front 242 (Track 1 from the album: Tragedy (For You)) What's This?
|

February 24th, 2007, 04:48 PM
|
Friend of Wrox
|
|
Join Date: May 2005
Posts: 189
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
...Imar, With ASP 3.0
Can you comment this;
<%
dim a
a = File.Filename
if instr(a,".gif") Then
else
'some err msg
End if
%>
Mvh
grstad 
|

February 24th, 2007, 08:25 PM
|
 |
Wrox Author
|
|
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
|
|
What do you mean with "comment this"? Are you asking me if this is secure? I don't know what File is but I know this isn't secure:
if instr(a,".gif") Then
as it allows a file called SomeFile.gif.asp to pass.....
Imar
---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.
|

March 10th, 2007, 09:22 AM
|
Friend of Wrox
|
|
Join Date: May 2005
Posts: 189
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
...Imar, can your C# validation be incorporated into this (which is part of the upload-prosedure cut/paste from the net);
<%
Public Sub SaveToDisk(sPath)
Dim oFS, oFile
Dim nIndex
If sPath = "" Or FileName = "" Then Exit Sub
If Mid(sPath, Len(sPath)) <> "\" Then sPath = sPath & "\"
Set oFS = Server.CreateObject("Scripting.FileSystemObject")
If Not oFS.FolderExists(sPath) Then Exit Sub
Set oFile = oFS.CreateTextFile(sPath & FileName, True)
For nIndex = 1 to LenB(FileData)
oFile.Write Chr(AscB(MidB(FileData,nIndex,1)))
Next
oFile.Close
End Sub
Public Sub SaveToDatabase(ByRef oField)
If LenB(FileData) = 0 Then Exit Sub
If IsObject(oField) Then
oField.AppendChunk FileData
End If
End Sub
%>
Mvh
grstad 
|

March 10th, 2007, 09:27 AM
|
 |
Wrox Author
|
|
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
|
|
Again, I don't understand what you're asking.
Obviously, you can't incorporate C# in a VB Script, but I don't think that's what you're asking....
Can you elaborate?
Imar
---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.
|

March 10th, 2007, 09:40 AM
|
Friend of Wrox
|
|
Join Date: May 2005
Posts: 189
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
...this code;
<%
Public Sub SaveToDisk(sPath)
Dim oFS, oFile
Dim nIndex
If sPath = "" Or FileName = "" Then Exit Sub
If Mid(sPath, Len(sPath)) <> "\" Then sPath = sPath & "\"
Set oFS = Server.CreateObject("Scripting.FileSystemObject")
If Not oFS.FolderExists(sPath) Then Exit Sub
Set oFile = oFS.CreateTextFile(sPath & FileName, True)
For nIndex = 1 to LenB(FileData)
oFile.Write Chr(AscB(MidB(FileData,nIndex,1)))
Next
oFile.Close
End Sub
Public Sub SaveToDatabase(ByRef oField)
If LenB(FileData) = 0 Then Exit Sub
If IsObject(oField) Then
oField.AppendChunk FileData
End If
End Sub
%>
...is part of a file I have included into my app. The file is all taken from the net.
Would it not be possible to validate the file extension (.jpeg, .gif) within the script-line or in corporation with;
If sPath = "" Or FileName = "" Then Exit Sub
..?
Mvh
grstad 
|
|
 |