dcsimg
Results 1 to 4 of 4

Thread: FileUpload Security

  1. #1

    Thread Starter
    New Member
    Join Date
    Jul 2006
    Posts
    7

    FileUpload Security

    I'm using a FileUpload control in a website which should only be able to upload images. To that end, I'm checking its MIME type before accepting the upload.

    Does anyone know whether the FileUpload.PostedFile.ContentType property comes from the file itself or the request? The latter is insecure, since the request can be spoofed. If that's the case, does anyone know a good way to validate a file securely?

  2. #2
    Super Moderator Joacim Andersson's Avatar
    Join Date
    Jan 1999
    Location
    Sweden
    Posts
    14,649

    Re: FileUpload Security

    Moved to the ASP.Net forum.

    I'm pretty sure that the FileUpload gets the MIME type based only on the file extension.
    Joacim Andersson
    If anyone's answer has helped you, please show your appreciation by rating that answer.
    I'd rather run ScriptBrix...
    Joacim's view on stuff.

    MVP

  3. #3
    ASP.NET Moderator mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,174

    Re: FileUpload Security

    FileUpload.PostedFile.ContentType happens after the upload. Best to perform the validation on the client side, which you can do with a RegexValidator using

    +(.jpg|.png|.gif|.svg)$

    And point the RegexValidator to the FileUpload control.

    Any method you come up with can be fooled - they can change the extension from .exe to .gif and your validator would pass it. If you want a 'foolproof' (almost) way of determining if it's an image or not, let the RegexValidator do most of the filtering for you, but once the file is uploaded, examine its file headers for a magic number matching the extension.

  4. #4
    King of sapila
    Join Date
    Oct 2006
    Location
    Greece
    Posts
    5,575

    Re: FileUpload Security

    First of all glad to see you again crazy frog.
    For easy checking if the uploaded file is a pic i use this one but of course you can correct me if it's not ultimate or "dangerous":
    Code:
     Dim img As System.Drawing.Image = System.Drawing.Image.FromStream(FileUpload1.PostedFile.InputStream)
     If (img.RawFormat.Guid = System.Drawing.Imaging.ImageFormat.Jpeg.Guid) Or (img.RawFormat.Guid = System.Drawing.Imaging.ImageFormat.Gif.Guid) or ....
    then
    .
    .
    .
    Slow as hell.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Featured


Click Here to Expand Forum to Full Width