Pete Freitag Pete Freitag

Bug Loading Scripts for CFFileUpload and CFMediaPlayer

Published on September 02, 2011
By Pete Freitag
coldfusion

It has recently come to my attention that there are some hard coded references to /CFIDE/scripts/ in some of the JS files that are used by the new (in CF9) tags CFFileUpload and CFMediaPlayer. The tags will work just fine if you are serving scripts from /CFIDE/scripts but if you have changed the location of /CFIDE/scripts/ for security reasons - then you will experience some errors when trying to use these tags.

Bug #83328 was logged for this issue in June 2010 in the ColdFusion Bug Tracker, please vote it up.

The workaround for CFFileUpload on ColdFusion 9.0.1 is pretty simple, I would imagine that the workaround for CFMediaPlayer is just as easy.

Edit the file /CFIDE/scripts/ajax/package/cffileupload_swf.js, and change the following lines:

$FS.defaultSWFLocation="/CFIDE/scripts/ajax/resources/cf/assets/MultiFileUpload.swf";
var defaultAddIcon="/CFIDE/scripts/ajax/resources/cf/images/fileupload/addfile.png";
var defaultUploadIcon="/CFIDE/scripts/ajax/resources/cf/images/fileupload/upload.png";
var defaultClearIcon="/CFIDE/scripts/ajax/resources/cf/images/fileupload/clear.gif";
var defaultDeleteIcon="/CFIDE/scripts/ajax/resources/cf/images/fileupload/delete.png";

To this:

$FS.defaultSWFLocation=_cf_ajaxscriptsrc+"/resources/cf/assets/MultiFileUpload.swf";
var defaultAddIcon=_cf_ajaxscriptsrc+"/resources/cf/images/fileupload/addfile.png";
var defaultUploadIcon=_cf_ajaxscriptsrc+"/resources/cf/images/fileupload/upload.png";
var defaultClearIcon=_cf_ajaxscriptsrc+"/resources/cf/images/fileupload/clear.gif";
var defaultDeleteIcon=_cf_ajaxscriptsrc+"/resources/cf/images/fileupload/delete.png";

The JavaScript variable _cf_ajaxscriptsrc was defined on the page before the script tag loads cffileupload_swf.js and it contains whatever value you have setup in the ColdFusion Administrator for the Default ScriptSrc path with ajax appended to the end.



cfide scripts cffileupload cfmediaplayer security

Bug Loading Scripts for CFFileUpload and CFMediaPlayer was first published on September 02, 2011.

If you like reading about cfide, scripts, cffileupload, cfmediaplayer, or security then you might also like:

Fixinator

The Fixinator Code Security Scanner for ColdFusion & CFML is an easy to use security tool that every CF developer can use. It can also easily integrate into CI for automatic scanning on every commit.


Try Fixinator

CFBreak
The weekly newsletter for the CFML Community