Using a NOT Allowed File Extension List
Cffile's Accept Attribute
Cffile has the built in attribute 'accept' which allows you to input a list of mime types to allow during the upload. If the uploaded file is not of the proper type, cffile wll error, requiring cftry / catch tags to make it work smoothly. This is a great feature, and I use it very often with things like photo galleries where you really only want a few file types uploaded.
I've often found myswlf in situations where i want to allow all sorts of files, except for dangerous ones. A intranet file repository is one example were the list off disallowed files was much smaller than the list of allowed files. So it would seem much easier to manage a small list of disallowed files.
The Solution
First, create a list of not allowed file extensions:
<cfset lsNotAllowed = "cfml,cfm,asp,aspx,php,pl,cgi,shtml">
Now check the extension of an uploaded file to make sure it is ok. If it is on the list, delete the file now.
<cffile action="upload" destination="#myUploadDir#" filefield="form.upload" nameconflict="makeunique">
<cfif listFindNoCase(lsNotAllowed , cffile.clientFileExt)>
<cffile action="delete" file="#myUploadDir#\#cffile.serverFile#">
</cfif>
____________
