That statement is an example.

What he is saying is that, if a user comes to your site with the intent on executing malicious scripts and all you are doing to is checking the file exetension of the file with JavaScript to ensure it is ok to upload, this user could disable javascript in their browser and now could upload an ASP file to your upload directory.

If that code contained this script:

<%
  dim fs
  Set fs=Server.CreateObject("Scripting.FileSystemObject ")
  fs.DeleteFile("c:\SomeImportantFile.txt")
%>

It would potentially delete a file off of your C drive because all the user would have to do is navigate to the directory you upload files to, and execte the ASP file that he just uploaded and you are none the wiser that an asp script was uploaded. (Until you go looking for the important file that just got deleted off of your c drive.)

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from planoie's profile^^
^^Modified text taken from gbianchi profile^^
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html

Discussion:
http://p2p.wrox.com/topic.asp?TOPIC_ID=56429

Yes, that was exactly what I was saying... Thanks... ;)

Imar

No problem resident guru of everything that is Dreamweaver and ASP.NET 2.0 =]

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from planoie's profile^^
^^Modified text taken from gbianchi profile^^
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html

Discussion:
http://p2p.wrox.com/topic.asp?TOPIC_ID=56429

...but then I need a server side test to test if the client browser have enablede JavaScript on each step (page) of my web-app. At least after the file upload, but before the upload-response-page... puuuh !? And if not, the client is dismissed...

Mvh
grstad :)

No, you don't have to do that. What you need to do is check the uploaded file at the server before you save it. How you do this depends on the server side technology you're using. For example, in ASP.NET with C# you could so something like this: Instead of throwing an exception you could explain the user what went wrong.

If you're only allowing images, you could even try to load the image into an Image object wit GDI+ to ensure that the file really contains a readable image.

Cheers,

Imar
---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
While typing this post, I was listening to: Tragedy (For You) [12" Vox] by Front 242 (Track 1 from the album: Tragedy (For You)) What's This?

...Imar, With ASP 3.0

Can you comment this;

<%
dim a
a = File.Filename

      if instr(a,".gif") Then
    else
      'some err msg
      End if
%>

Mvh
grstad

What do you mean with "comment this"? Are you asking me if this is secure? I don't know what File is but I know this isn't secure:

   if instr(a,".gif") Then

as it allows a file called SomeFile.gif.asp to pass.....

Imar
---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.

...Imar, can your C# validation be incorporated into this (which is part of the upload-prosedure cut/paste from the net);


<%
    Public Sub SaveToDisk(sPath)
        Dim oFS, oFile
        Dim nIndex

If sPath = "" Or FileName = "" Then Exit Sub
        If Mid(sPath, Len(sPath)) <> "\" Then sPath = sPath & "\"

        Set oFS = Server.CreateObject("Scripting.FileSystemObject")
        If Not oFS.FolderExists(sPath) Then Exit Sub

        Set oFile = oFS.CreateTextFile(sPath & FileName, True)

        For nIndex = 1 to LenB(FileData)
            oFile.Write Chr(AscB(MidB(FileData,nIndex,1)))
        Next

        oFile.Close
    End Sub

    Public Sub SaveToDatabase(ByRef oField)
        If LenB(FileData) = 0 Then Exit Sub

        If IsObject(oField) Then
            oField.AppendChunk FileData
        End If
    End Sub
%>

Mvh
grstad

Again, I don't understand what you're asking.

Obviously, you can't incorporate C# in a VB Script, but I don't think that's what you're asking....

Can you elaborate?

Imar
---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.

...this code;

<%
    Public Sub SaveToDisk(sPath)
        Dim oFS, oFile
        Dim nIndex

If sPath = "" Or FileName = "" Then Exit Sub
        If Mid(sPath, Len(sPath)) <> "\" Then sPath = sPath & "\"

        Set oFS = Server.CreateObject("Scripting.FileSystemObject")
        If Not oFS.FolderExists(sPath) Then Exit Sub

        Set oFile = oFS.CreateTextFile(sPath & FileName, True)

        For nIndex = 1 to LenB(FileData)
            oFile.Write Chr(AscB(MidB(FileData,nIndex,1)))
        Next

        oFile.Close
    End Sub

    Public Sub SaveToDatabase(ByRef oField)
        If LenB(FileData) = 0 Then Exit Sub

        If IsObject(oField) Then
            oField.AppendChunk FileData
        End If
    End Sub
%>


...is part of a file I have included into my app. The file is all taken from the net.

Would it not be possible to validate the file extension (.jpeg, .gif) within the script-line or in corporation with;

      If sPath = "" Or FileName = "" Then Exit Sub

..?

Mvh
grstad