| Author |
 Topic  |
|
Michael Schmidt
Starting Member
23 Posts |
 Posted - 08 July 2002 : 13:46:50
|
Here's a mod i have made. File attachment mods are pretty scarce so hopefully many of you will find this useful. Here's the link:
http://www.cornellreview.org/images/mikes_file_attachment_for_snitz.zip
Should be easy to install, (only edit one file in one place).
There are no external components required. The upload is pure ASP.
Good luck!
Mike
Keywords: File, Attach, Attachment, Upload, Paper, Clip
--------------------------- New: --------------------------------
UPDATE:
David Greening aka 'Classicmotorcycling' has updated and enhanced this mod to work for future versions of snitz (3.4 and above). The latest version can be found at http://www.snitzbitz.com/mods/details.asp?Version=All&mid=67. also be sure to check the end of this thread for more update info.
UPDATE:
Thanks to some work by 'BritishAndy', it appears that the uploading does not work on big-endian machines. So, if your server is for example running Chilisoft on a Solaris server, you may experience problems with the current mod version. But the vast majority of servers running ASP are windows machines which are little-endian and work fine.
thank you everyone for your support and email. later!
Mike |
Edited by - Michael Schmidt on 14 January 2003 16:23:41 |
|
|
dayve
Forum Moderator
USA
5820 Posts |
Posted - 08 July 2002 : 16:47:53
|
got a demo and/or more info on this? does it create a member directory like the one HuwR made?
http://www.nineinchnailz.com |
 |
|
|
Michael Schmidt
Starting Member
23 Posts |
|
|
Etymon
Advanced Member
United States
2385 Posts |
Posted - 08 July 2002 : 18:17:24
|
Hi Mike,
Thanks for the MOD!
Does your MOD have the ability to determine the kilobyte size, dimensions, or type of the file and either accept or reject the file ... perhaps sending a message to the poster in a popup window stating the parameters of the attempted file and what the acceptable parameters are for that forum?
Your work looks great though! Good job! Will download it and try it out when I get home. Thanks again!
Cheers,
Etymon
Edited by - Etymon on 08 July 2002 18:24:06 |
|
|
|
dayve
Forum Moderator
USA
5820 Posts |
Posted - 08 July 2002 : 20:53:04
|
you should give the ability to show the image in the thread instead of a link to it, this is how HuwR's version works.
I would also question if you could filter file types and sizes, otherwise you are giving people the ability to upload an asp script and execute it on your server!!
http://www.nineinchnailz.com |
|
|
|
Etymon
Advanced Member
United States
2385 Posts |
Posted - 08 July 2002 : 22:00:38
|
quote:
I would also question if you could filter file types and sizes, otherwise you are giving people the ability to upload an asp script and execute it on your server!!
I don't know even to know where to begin to understand how to upload a script and execute it this way.
What I am thinking about is like disallowing a heavy image like above 30K, disallowing a monsterous file dimension like 300 x 1500, and distinguishing if the file is only certain file formats like .jpg or .gif instead of tif and the like.
Is there a resource where I can learn more about the vulnerability you are talking about dayve? I really don't understand what you mean. Thanks though.
Etymon
|
|
|
|
dayve
Forum Moderator
USA
5820 Posts |
Posted - 08 July 2002 : 22:18:25
|
HuwR's upload mod gives you a simple control panel to limit the file size and allowable file extensions.
if somone is able to upload a server side script then they have access to a lot of things like reading databases, directories, source code, etc... its just the nature of ASP, unless you take precautions like turning off EXECUTE in the upload directories and limiting what file types are allowed.
http://www.nineinchnailz.com |
|
|
|
Classicmotorcycling
Development Team Leader
Australia
2084 Posts |
Posted - 08 July 2002 : 22:56:34
|
Dayve,
I played with the code, and it is easy to make it show the image in the post. Thanks for the idea. I am going to adjust so it only allows for the up load of images, just got to work this out.
quote:
you should give the ability to show the image in the thread instead of a link to it, this is how HuwR's version works.
Apart from that, it is a great mod. Easy to install.
I put it at my other site, www.davidgreening.com for testing in the forums.
Cheers,
David |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 09 July 2002 : 05:55:10
|
there is a section in the code that checks the file extensions in outpufile.asp find this code
' --- CHECK FILE FOR ACCEPTABILITY ---
extension = LCase(Mid(filename,InStrRev(filename,".")))
If _
extension <> ".asp" And _
extension <> ".cgi" And _
extension <> ".pl" And _
extension <> ".php" And _
extension <> ".vbs" And _
extension <> ".vbx" And _
extension <> ".scr" And _
extension <> ".js" And _
extension <> ".com" And _
extension <> ".bat" And _
byteCount <= 50000000 _
Then
which filters out naughty files
|
|
|
|
Fury
New Member
USA
62 Posts |
Posted - 09 July 2002 : 21:22:34
|
HuwR,
What line of code don't you know? My first thought when I looked at your code was, hmmm what if I made the file name virus.jpg.asp. Then it would pass right through your check. Then I noticed the InStrRev. I had never seen that function before. That reverse certainly solves the problem.
Amazed as always.
|
|
|
|
Etymon
Advanced Member
United States
2385 Posts |
Posted - 09 July 2002 : 21:50:40
|
Thanks for all of the help!
How things are executed and automated still has my jaw dropped to the floor. It's nice to have folks who can toss me a pillow while I learn from them how to pick myself up! 
Edited by - Etymon on 09 July 2002 21:51:44 |
|
|
|
dayve
Forum Moderator
USA
5820 Posts |
Posted - 09 July 2002 : 21:53:56
|
quote:
Then I noticed the InStrRev.
when I check for extensions I generally use right(strField,3)
http://www.nineinchnailz.com |
|
|
|
redbrad0
Advanced Member
USA
3725 Posts |
|
|
dayve
Forum Moderator
USA
5820 Posts |
Posted - 09 July 2002 : 22:28:12
|
quote:
I put it at my other site, www.davidgreening.com for testing in the forums.
Cheers,
David
did you modify it to upload into a member's directory instead of a generic directory? I am getting ready to do that now just so I can test this script. I'm very interested in seeing how it handles large file sizes since that has been most of my problems with the one I am using now. it seems to crap out if I upload files larger than 3-4 megs  . I know somone mentioned to use a component driven version for uploading but I'd rather check out all pure asp versions first.
www.nineinchnailz.com" target="_blank"> www.nineinchnailz.com/forum/uploaded/dayve/snitz_award_flag.gif" border=0>
www.nineinchnailz.com" target="_blank">http://www.nineinchnailz.com |
|
|
|
redbrad0
Advanced Member
USA
3725 Posts |
Posted - 09 July 2002 : 22:45:14
|
dave the problem with uploading large files like that is the script timeing out on the server. i wouldnt think that uploading a 3-4 meg file in a pure asp upload would cause any problems. its basically the exact same thing from what i have seen.
Brad
Web Hosting with SQL Server @ $24.95 per month
|
|
|
|
Classicmotorcycling
Development Team Leader
Australia
2084 Posts |
Posted - 10 July 2002 : 01:14:28
|
Dayve,
I only allow images to go in to a generic directory that only the uploads got to away from the general population.
Also had to make it so that only registered users would be able to upload their images. (Had heaps of people trying to upload) It was real easy to implement as I am sure you will be able to do and make it better.
quote:
did you modify it to upload into a member's directory instead of a generic directory? I am getting ready to do that now just so I can test this script. I'm very interested in seeing how it handles large file sizes since that has been most of my problems with the one I am using now. it seems to crap out if I upload files larger than 3-4 megs . I know somone mentioned to use a component driven version for uploading but I'd rather check out all pure asp versions first.
Works great as well.
Cheers,
David |
|
|
|
Topic |
|
Topic Locked
