vchris Posted December 19, 2007 Author Share Posted December 19, 2007 Works awesome! Thanks skemcin Link to comment Share on other sites More sharing options...
Skemcin Posted December 20, 2007 Share Posted December 20, 2007 Your welcome - glad to see another CF success. Link to comment Share on other sites More sharing options...
vchris Posted December 27, 2007 Author Share Posted December 27, 2007 I got another idea to improve the security of the files for this website. Since a user could download any file if he knows its name. On logon, I could set a session variable of the group the user is from. Then have a folder for each group within the docs folder. That user can then only download a file from his folder. Link to comment Share on other sites More sharing options...
zppblood Posted December 27, 2007 Share Posted December 27, 2007 What if they typed something like ../folder_they_shouldn't_be_seeing/whateverfile.doc? In PHP you can use basename() to take out ../folder names/ from the input so it would be whateverfile.doc and then where you check file exists, add the folder name they are allowed to look at. <?php $file=basename($_GET['file']); // ../some_other_folder/file.doc to file.doc if (file_exists($_SESSION['group'].'/'.$file)) { // use header and include }?> I also found out when playing around with my own code is if you use special characters like *, <, etc. it can grab files based on the filesystem you are using (Windows for me). You could probably make an array of files to choose from the code or have Coldfusion scan the folder for all of the doc files and check if it's in that array of files. Link to comment Share on other sites More sharing options...
vchris Posted December 27, 2007 Author Share Posted December 27, 2007 They can't type a direct url to the file since the file is stored on the server outside of the web folder. Only ColdFusion can get in there and get the file. I made a coldfusion page that will fetch the file. The user has no idea where the file is. There is only a querystring (?myFile=test.doc). The current problem with this is all the files are all in one folder so if a user from one group knows the name of a file from another group, he could access it with the querystring. I'll be adding the group folders so this won't be possible. I know how to do this part. Thanks anyway for the code. Link to comment Share on other sites More sharing options...
zppblood Posted December 27, 2007 Share Posted December 27, 2007 You might want to make the folder names kind of random then. They can just go up one level with ../ name of folder and the file name.To get an idea of what someone can do.http://www.owasp.org/index.php/Testing_for...ctory_Traversalhttp://www.owasp.org/google/results.html?c...=FORID%3A9#1150 Link to comment Share on other sites More sharing options...
vchris Posted December 28, 2007 Author Share Posted December 28, 2007 Could a user go up one level if my path is hard coded except for the file name?This is the kinda path I have: /absolutepathtofolder/group/file.doc. This path is outside of the web folder. You mean that someone could change my querystring to ?myFile=../othergroup/file.doc and access another file? Is this valid then /absolutepathtofolder/group/../othergroup/file.doc since this is how it will be displayed. I could also simply not allow / in the querystring. Link to comment Share on other sites More sharing options...
zppblood Posted December 28, 2007 Share Posted December 28, 2007 I don't think that would be good enough, if Coldfusion has a way of just returning the filename like PHP's basename() or use regular expressions that only accepts certain characters like A-Za-z0-9_. Link to comment Share on other sites More sharing options...
Skemcin Posted December 28, 2007 Share Posted December 28, 2007 This should be easily resolved by creating two more tables, one to define groups and another as a lookup.If you user table is "user" and you group table is "group" and your lookup table is "user_x_group" then name your folders the same way you name your groups. When the user logs in and is authenticated, then all your file requests would run off a variable you could set based on their ID in the "user_x_group" table as it pertains the the assigned group.I would even take this one step farther - if its possible and have the documents they are requesting databased too. Your "document" table could then store the filename and then you could either move them in seperate folders or keep them all in one and then create a "group_x_document" table that assigns documents to single or multiple groups without having to have copies of file in different group folders. The link to the document would now have a UUID as the string and not the actual filename.Then, on the ColdFusion page that actually requests the file, you have to query the "document" table to get the real file, then you get the file's ID and look it up in the group table to see if this user is allowed to even have it.In the latter example, the user never has any idea of what group they are in (which doesn't matter if they do) but additionally they NEVER see the actual filename of the file since the URL string is a UUID and not the file name. If you are using the code we talked about earlier, then you can rename the file as it is prompted to download so that it's not even remotely the same as it's physical defined on the server.Make sense? Let me know if you need me to back up and re-imagine that [admittedly typed a little frantically] Link to comment Share on other sites More sharing options...
vchris Posted December 29, 2007 Author Share Posted December 29, 2007 I currently don't use any database. There are so little logins that I simply have them hard coded in the page. I'm not sure I want to create one. Link to comment Share on other sites More sharing options...
vchris Posted January 4, 2008 Author Share Posted January 4, 2008 I noticed that in IE6 (don't have IE7 at work) instead of prompting to download the doc filename, it prompts to download the name of the page that gets the doc (doc_fetcher, no extension) but I can still open this word doc with word manually. Any idea why?EDIT: my bad, typo in content-type for word files. Link to comment Share on other sites More sharing options...
vchris Posted January 9, 2008 Author Share Posted January 9, 2008 I had a meeting today on this application and it looks like they wanna complicate the app a little bit. Currently, I have this site setup without a DB but with the new updates I'll need to implement a database. This way I can easily manage user groups, documents and more from the DB. I'll also be creating an admin panel for users to add, del, edit docs and add, del, edit categories docs are in... Anyway so it looks like this will be another small challenge. Should be interesting. Link to comment Share on other sites More sharing options...
Skemcin Posted January 9, 2008 Share Posted January 9, 2008 Sounds fun. Let me know if you need any help on any issues you run into.You know, with MS SQL 2005 and CF8 you can actually store the binary information in the DB. Not a good idea if this is gonna get really huge or if the files are big, but it is a way to really make sure no one can see someone elses files since they are not even physically stored on the server. Link to comment Share on other sites More sharing options...
vchris Posted January 9, 2008 Author Share Posted January 9, 2008 Actually there should be lots of files, some 5-10mb and more. Link to comment Share on other sites More sharing options...
Skemcin Posted January 10, 2008 Share Posted January 10, 2008 Actually there should be lots of files, some 5-10mb and more.ok, scratch that last idea then - would have been good fro what it looked like you were dealing with at first. Knowing that you are dealing with that many files, I wonder how they expected for it to be managed without a db.Anyway, good luck, should be a fun little project. Link to comment Share on other sites More sharing options...
clonetrooper9494 Posted January 24, 2008 Share Posted January 24, 2008 If I were you, I would use the include, but have a cookie, with the username,country(to block or allow files),password, and a random number like day x hour x 57375(the users id number, like on here) x another number, so somebody would have to at least know one of the numbers to look at the file... does that make any sense? Link to comment Share on other sites More sharing options...
vchris Posted February 4, 2008 Author Share Posted February 4, 2008 I've started to work on this project again. I have the database setup with no data at the moment. What is the best way to have a unique id that I would generate myself when inserting a new document with a coldfusion page? It should have letters (upper and lower case) and numbers, 10 characters should be enough. I'm thinking or an array with all the values I'd want in this id but it's perhaps not the best way of doing this. Link to comment Share on other sites More sharing options...
Skemcin Posted February 4, 2008 Share Posted February 4, 2008 ColdFusion has a GUID function that will create a unique identifier for you. If its not going to be used in a visual sense at all (like in the filename or folder name) then I'd go that route. Otherwise, I tend to incorporate a text file and autoincrement that and then prepend it with an abbreviation of the application and or suffix with a version . . . NW0005v3NW = news application00005 = number extracted from a text file with numberformat function used to make sure all four place holders usedv3= the version of the application I built Link to comment Share on other sites More sharing options...
vchris Posted February 12, 2008 Author Share Posted February 12, 2008 I wanna use Random numbers (6 digits) as a unique id for each document in the db. I don't want to have a number the same as one already entered. I'm just trying to figure out how I can reroll the number if there is a match. I know that I query for the ids and set the random number. Then in a loop I compare my random number to all ids and if there is a match it should reenter that loop but before that it should reroll. I'm not sure how to go about that. Any tips? Link to comment Share on other sites More sharing options...
Skemcin Posted February 12, 2008 Share Posted February 12, 2008 Taking a minute to throw something out there to start you off . . . <cfset newID = randrange(100000,999999)><cfquery name="qryCheckID" datasource="#db#"> SELECT ID FROM yourtable WHERE ID = newID</cfquery><cfif qryCheckID.recordcount EQ 0>(use this id)<cfelse>(refresh the page, include query string or post back using hidden form)</cfif> Does this help? Link to comment Share on other sites More sharing options...
vchris Posted February 12, 2008 Author Share Posted February 12, 2008 It's when it comes to this:<cfelse>(refresh the page, include query string or post back using hidden form)</cfif>How can I reroll without refreshing the page? cfloop? Link to comment Share on other sites More sharing options...
Skemcin Posted February 13, 2008 Share Posted February 13, 2008 Well,I guess you could nest that in a cfloop like this: <cfset newID = randrange(100000,999999)><cfloop from="1" to "999999999999999999999999" index="x"><cfquery name="qryCheckID" datasource="#db#"> SELECT ID FROM yourtable WHERE ID = newID</cfquery><cfif qryCheckID.recordcount EQ 0>(use this id)<cfbreak><cfelse><cfset newID = randrange(100000,999999)></cfif></cfloop> Here you loop from one to some ridiculously large number. each time a new random number will be created and checked. As soon as there is no match, the loop is broken/exited.I think this will work. Link to comment Share on other sites More sharing options...
vchris Posted February 13, 2008 Author Share Posted February 13, 2008 Thanks! Seems to work great. Link to comment Share on other sites More sharing options...
Skemcin Posted February 13, 2008 Share Posted February 13, 2008 nice:) Link to comment Share on other sites More sharing options...
vchris Posted February 13, 2008 Author Share Posted February 13, 2008 I got another one for you lol... My documents are stored in the db and there's different categories for each document, some are in the same category. So here's what I got:Category 1doc 1Category 2doc 2Category 2doc 3I'd like to have: Category 1doc 1Category 2doc 2doc 3I tried using the GROUP BY clause but doc 3 disappeared. I tried also the group in the cfoutput tag but it's the same thing. I checked another document that has a comparable output but it uses a flag to know if it should output the category text. Is that the best way to do this? Isn't there a way with the query to do this? <cfquery name="qryGetDocs" datasource="#dbname#" username="#dbuser#" password="#dbpw#">SELECT d.doc_id, d.doc_name, d.doc_description, c.cat_nameFROM Documents d, Categories cWHERE d.cat_id = c.cat_idGROUP BY d.cat_id</cfquery><cfoutput query="qryGetDocs" ><h3 class="menuheader expandable">#qryGetDocs.cat_name#</h3><p>#qryGetDocs.doc_name#</p></cfoutput> Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.