Does <cffile> “write” allow a file to execute before renaming/writing the file?

Question

I've created a file upload for my client and I'm trying to make things as secure as possible. I'm using the following code to handle the file upload. The idea is to rename the file and write it to a folder outside the web root.

The question is, during the 'write' process is there any chance that ColdFusion will allow a malicious file to execute before the file is written to the folder and renamed with the following code?

This is at the top of my component...

<cfset destdir = "/folder/upload/">

This is part of the code that handles the file...

<cfset var local = structNew()>
<cfset local.response = structNew()>
<cfset local.response['catcher'] = ''>
<cfset local.filename = listGetAt(#arguments.file#, 1, ".")>
<cfset local.fileext = ListLast(#arguments.file#, ".")>
<cfset local.nfile = #CreateUUID()# & "." & #local.fileext#>

<cftry>
  <cffile action="write" file="#destdir##local.nfile#" output="#arguments.content#">
  <cfset local.response['newfilename'] = local.nfile>
  <cfcatch type="any">
  <cfset local.response['catcher'] = "Write Exception " & #cfcatch.Detail# & " | " & #cfcatch.Message#>
  <cfset local.response['success'] = true>
  <cfreturn local.response>
  </cfcatch>
</cftry>

I should mention that the file upload procedure is being handled by a CFC and Valums' AjaxUpload Plugin...

Answer 1

To answer the question you asked - your "write" opertation is a single operation. You are not moving and renaming the original file (at least not in the code above). Instead you are creating a file handle, outputting a buffer and closing the handle. The code cannot be executed prior to the release of the handle. If you were moving and renaming or copying the file itself then there could be a gap as you fear - enough to allow an execution. You should also know that file I/O might create problems if you intend to write then execute the file in a single request thread (could get an error trying to get access to the file as Java might hit slightly ahead of the OS on getting notice of the handle release if you see what I'm saying).

Here's a post on cffile hacking that might shed light around the edges of your issue.

http://www.coldfusionmuse.com/index.cfm/2009/9/18/script.insertion.attack.vector

Note - this is my understanding... pretty solid, but there some pretty smart folks on this list including the ones who have responded already. Not trying to steal anyone's thunder here.

Answer 2

Your sample code looks like you're doing something different from a normal file upload. You don't have a cffile action="upload", and it looks like you're already retrieved the content of the file. You should be limiting the local.fileext to file types that you consider safe and the Arguments.content should be checked to make sure it's not malicious. As soon as you've written the file to the webroot it can be probed through the url, so you must verify that everything is safe before writing it.

With a normal form post file upload the process should be something like:

1. Use cffile action="upload" to write the file upload into a temp folder outside the webroot
2. Verify the integrity of the file to make sure it's not malicious (delete if bad file)
3. Move the verified file into its final location with cffile action="move"

Answer 3

Renaming the file at upload and placing in outside the web root is a good idea, but there are still some basic points how you can improve security at fileupload in coldfusion.

For starters cffile with action upload has an attribute "accept" where you can specify which mime-types (comma delimited list) your fileupload will allow.
cffile also has a "mode" attribute (for linux only) to set permissions for the file.
source: http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=Tags_f_02.html

I don't think that an uploaded malicious file can be executed automaticly when it's uploaded that easy, but it's a good practice to take precautions.