tracker issue : CF-4199481

select a category, or use search below
(searches all categories and all time range)
Title:

MIME based validation not working when .doc file renamed to .xls and set the accept attibute as 'application/vnd.ms-excel'

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/

Reporter/Name(from Bugbase): Pradeep Vinitha / Pradeep Vinitha ()

Created: 08/14/2017

Components: File Management, CFFile

Versions: 2016

Failure Type: Non Functioning

Found In Build/Fixed In Build: 2016 /

Priority/Frequency: Normal / All users will encounter

Locale/System: English / Windows 7 64-bit

Vote Count: 0

As part of security project we need to block the files which are not allowed upload to our system. We use <cffile action=”upload”> or fileupload method with in <cfscript> to upload the files.

When accept attribute is used to specify the MIME type of file to upload, <cffile> tag and fileUpload method will restrict uploading files of other mime types .  Exception thrown and file is not uploaded even when the user intentionally modify the file by editing the file extension to match the mime type mentioned in with accept attribute . 

I think internally CF matches the mime type mentioned with accept attribute of a file with the mime type based on the extension of the file tried to upload. if they are different CF does not allow to upload the file and throws an exception. 


All scenarios except office 2007 based files are throwing CF exception and the file is not uploaded. Office 2007 files tested are with file extension  .doc,.ppt and .xls.  Only these file types can be uploaded modifying it to either of these extensions interchangeably.

Following are the scenarios should throw exception. But unfortunately successfully uploaded by CF.

Actual File Extension	Modified Extension	Accept attribute used	Expected result	Actual result
doc	xls	Application/vnd.ms-excel	Should not upload	Uploaded
doc	ppt	Application/ vnd.ms-powerpoint	Should not upload	Uploaded
xls	doc	Application/msword	Should not upload	Uploaded
xls	ppt	Application/ vnd.ms-powerpoint	Should not upload	Uploaded
ppt	doc	Application/msword	Should not upload	Uploaded
ppt	xls	Application/vnd.ms-excel	Should not upload	Uploaded

I believe this is an issue with CF implementation of CFFILE tag and fileUpload method. 

Example Call:

cf_fileUpload = fileUpload(
GetTempDirectory()
                , “theFile”  // name of  upload field …<input type="file" name="theFile" />
                ,  ‘Application/vnd.ms-excel’
                , ‘MakeUnique’
                , true
                );


Please see the attachment

Attachments:

  1. August 14, 2017 00:00:00: file upload not validating file mime type for 2007 office file extensions..msg

Comments:

There is a small inaccuracy in the description: the old extensions .doc, .xls etc. were used up to Office 2003. Office 2007 already used the new .docx, .xlsx. Other than that, the bug report is correct, and is true for both the old (Office 2003) and new (Office 2007) file types. The underlying cause seems to be the way CF sniffs the MIME type by looking at the content of the file. Try using fileGetMimeType on various files: Word 2003 document "realdocument.doc": fileGetMimeType("...\realdocument.doc") gives application/msword Document renamed to "realdocument.xls": fileGetMimeType("...\realdocument.xls") gives application/vnd.ms-excel Word 2007 document "realdocument.docx": fileGetMimeType("...\realdocument.docx") gives application/vnd.openxmlformats-officedocument.wordprocessingml.document Document renamed to "realdocument.xlsx"): fileGetMimeType("...\realdocument.xlsx") gives application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Comment by Legorol S.
432 | August 21, 2017 02:50:36 PM GMT
Hi I have a query here. The attachments mentions that when trying to upload a .ppt file renamed to .docx with mine type as MS office, exception was thrown by CF. If I summarize the issue: Office 2003 and Office 2007 files are uploaded modifying it to either of these extensions interchangeably. if yes, then a ppt file renamed to .docx with mine type as MS office,should be successful. Thanks Poonam
Comment by Poonam J.
433 | October 31, 2017 05:05:17 AM GMT