4

This code used to work fine with ColdFusion 9: 

<cfif form.btnSaveImage EQ "Upload">
    <cftry>
        <cffile accept="image/*" action="upload" destination="C:\T" filefield="vcImageFile" nameconflict="overwrite">
        <cfcatch type="Any">
            <cfdump var="#cfcatch#" label="cfcatch">
        </cfcatch>
    </cftry>
</cfif>

<form action="<cfoutput>#cgi.SCRIPT_NAME#</cfoutput>" method="post" name="frmImagesAdd" id="frmImagesAdd" enctype="multipart/form-data">
    <label for="vcImageFile">Image File*:</label><br>
    <input type="file" name="vcImageFile" id="vcImageFile" size="40" maxlength="255" message="Image file is required to upload."><br>
    <input type="hidden" name="btnSubmit" value="Add Image">
    <input name="btnSaveImage" type="submit" value="Upload">
</form>

The issue is the accept="image/*" attribute of the cffile tag. In ColdFusion 9, this wildcard used to accept any file with a MIME type that started with "image/". In ColdFusion 10, I get the following error message:

"The MIME type or the Extension of the uploaded file image/jpeg was not accepted by the server."

The MimeType value is "image/jpeg", so it should work with the wildcard.

I looked at the wikidocs for the cffile tag and it says this:

ColdFusion 10: Modifications to the attribute accept}}

However, it doesn't elaborate what those modifications are!

Looking at the upload action docs, it says that it will accept a comma delimited list of mime types. Does this mean that wildcards are no longer accepted?

Leigh
  • 28,765
  • 10
  • 55
  • 103
Scott Jibben
  • 2,229
  • 1
  • 14
  • 22
  • 1
    (Edit) What happens if you use [`strict=false`](http://www.sagarganatra.com/2012/03/coldfusion-10-cffile-restricting-file.html)? Not an answer to your question, but you might want to read this: [Secure file uploads / Don't rely on cffile accept attribute](http://www.petefreitag.com/item/701.cfm). Not sure if still applies in CF 10, just FYI... – Leigh Feb 20 '14 at 19:59
  • I personally have specified every image type I want to accept like this: image/jpeg, image/pjpeg, image/png, image/gif. In my opinion its better to do it this way than use a wildcard. – volume one Feb 21 '14 at 11:28
  • 1
    @volumeone - I do not know if CF10 has changed, but in earlier versions the "accept" method was easy to hack, so you should not rely on it anyway. See link above. – Leigh Feb 21 '14 at 11:34
  • @Leigh, TYVM!! for the link to the info on 'don't rely on the cffile accept attribute'. I'll have to check the code to ensure that doesn't happen! Wish I could up-vote it more than one time. – Scott Jibben Mar 14 '14 at 00:36

1 Answers1

1

FYI, this blog post has indicated the same problem same time last year:

http://www.cutterscrossing.com/index.cfm/2013/2/21/ColdFusion-10-File-Uploads-and-MIME-Types

Now, I remembered that there were changes to MIME type checking in CF 10, but I wasn't entirely sure. This code, written by one of our developer's several months ago, would allow any "image" MIME type. What we discovered is that we couldn't do this kind of wildcard mapping under CF 10, that we now had to list out each accepted MIME type as a comma delimited list.

Henry
  • 32,689
  • 19
  • 120
  • 221