Search code examples
coldfusionuploadcffile

Does <cffile> "write" allow a file to execute before renaming/writing the file?

I've created a file upload for my client and I'm trying to make things as secure as possible. I'm using the following code to handle the file upload. The idea is to rename the file and write it to a folder outside the web root.

The question is, during the 'write' process is there any chance that ColdFusion will allow a malicious file to execute before the file is written to the folder and renamed with the following code?

This is at the top of my component...

<cfset destdir = "/folder/upload/">

This is part of the code that handles the file...

<cfset var local = structNew()>
<cfset local.response = structNew()>
<cfset local.response['catcher'] = ''>
<cfset local.filename = listGetAt(#arguments.file#, 1, ".")>
<cfset local.fileext = ListLast(#arguments.file#, ".")>
<cfset local.nfile = #CreateUUID()# & "." & #local.fileext#>

<cftry>
  <cffile action="write" file="#destdir##local.nfile#" output="#arguments.content#">
  <cfset local.response['newfilename'] = local.nfile>
  <cfcatch type="any">
  <cfset local.response['catcher'] = "Write Exception " & #cfcatch.Detail# & " | " & #cfcatch.Message#>
  <cfset local.response['success'] = true>
  <cfreturn local.response>
  </cfcatch>
</cftry>

I should mention that the file upload procedure is being handled by a CFC and Valums' AjaxUpload Plugin...

Solution

  • To answer the question you asked - your "write" opertation is a single operation. You are not moving and renaming the original file (at least not in the code above). Instead you are creating a file handle, outputting a buffer and closing the handle. The code cannot be executed prior to the release of the handle. If you were moving and renaming or copying the file itself then there could be a gap as you fear - enough to allow an execution. You should also know that file I/O might create problems if you intend to write then execute the file in a single request thread (could get an error trying to get access to the file as Java might hit slightly ahead of the OS on getting notice of the handle release if you see what I'm saying).

    Here's a post on cffile hacking that might shed light around the edges of your issue.

    http://www.coldfusionmuse.com/index.cfm/2009/9/18/script.insertion.attack.vector

    Note - this is my understanding... pretty solid, but there some pretty smart folks on this list including the ones who have responded already. Not trying to steal anyone's thunder here.