Upload File - test for valid file type

I have a simple webform where a user can upload images by using an input
element of type "file". In the a button's click event in the codebehind is this code which saves the file to the server. Everything works OK. My
concern is how can I be sure the user is really uploading an image and not a file with some malicious code in it. Also, can someone tell me what my
security concerns are here?

Here's the html:
<form id="Form1" encType="multipart/form-data" runat="server">
Select File to Upload: <input id="uploadedFile" type="file"
name="uploadedFile" runat="server" style="WIDTH: 592px; HEIGHT: 24px"
size="79">
<p><input id="upload" type="button" value="Upload" name="upload"
runat="server">
</p>
<asp:label id="message" runat="server"></asp:label>
</form>
and here's the code behind:
Private Sub upload_ServerClick(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles upload.ServerClick
If Not (uploadedFile.PostedFile Is Nothing) Then
Try
Dim savePath As String = Server.MapPath(".") & "\images\test\"
Dim postedFile = uploadedFile.PostedFile
Dim filename As String = Path.GetFileName(postedFile.FileName)
Dim contentType As String = postedFile.ContentType
Dim contentLength As Integer = postedFile.ContentLength
postedFile.SaveAs(savePath & filename)
message.Text = postedFile.Filename & " uploaded" & _
"<br>content type: " & contentType & _
"<br>content length: " & contentLength.ToString()
Catch exc As Exception
message.Text = "Failed uploading file: " &
exc.InnerException.ToString
End Try
End If
End Sub



--
mo*******@nospam.com

Simplest way:

1> Get the file from the user; verify file size is reasonable (e.g. not
huge)
2> Create an IMAGE object and assign the bytestream to it.
3> Check for exceptions. If you get any, or the image format isn't known,
don't save to disk.

As a rule, you shouldn't accept uploads from anyone you don't trust.
--
Thanks,

Eric Lawrence
Program Manager
Assistance and Worldwide Services

This posting is provided "AS IS" with no warranties, and confers no rights.
"moondaddy" <mo*******@nospam.com> wrote in message
news:eq**************@tk2msftngp13.phx.gbl...

I have a simple webform where a user can upload images by using an input
element of type "file". In the a button's click event in the codebehind is

this code which saves the file to the server. Everything works OK. My
concern is how can I be sure the user is really uploading an image and not a

file with some malicious code in it. Also, can someone tell me what my
security concerns are here?

Here's the html:
<form id="Form1" encType="multipart/form-data" runat="server">
Select File to Upload: <input id="uploadedFile" type="file"
name="uploadedFile" runat="server" style="WIDTH: 592px; HEIGHT: 24px"
size="79">
<p><input id="upload" type="button" value="Upload" name="upload"
runat="server">
</p>
<asp:label id="message" runat="server"></asp:label>
</form>
and here's the code behind:
Private Sub upload_ServerClick(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles upload.ServerClick
If Not (uploadedFile.PostedFile Is Nothing) Then
Try
Dim savePath As String = Server.MapPath(".") &

"\images\test\" Dim postedFile = uploadedFile.PostedFile
Dim filename As String = Path.GetFileName(postedFile.FileName) Dim contentType As String = postedFile.ContentType
Dim contentLength As Integer = postedFile.ContentLength
postedFile.SaveAs(savePath & filename)
message.Text = postedFile.Filename & " uploaded" & _
"<br>content type: " & contentType & _
"<br>content length: " & contentLength.ToString()
Catch exc As Exception
message.Text = "Failed uploading file: " &
exc.InnerException.ToString
End Try
End If
End Sub



--
mo*******@nospam.com

Thanks I'll try it. btw: we need to be able to accept uploads from anyone because its a service where a user uploads an image and then we transpose it onto a product and ship the product back to them. If I follow your advice
below, are there still thinks a user can do to sabotage our site by
uploading files in this manner?

--
mo*******@nospam.com
"Eric Lawrence [MSFT]" <e_********@hotmail.com> wrote in message
news:%2******************@TK2MSFTNGP11.phx.gbl...

Simplest way:

1> Get the file from the user; verify file size is reasonable (e.g. not
huge)
2> Create an IMAGE object and assign the bytestream to it.
3> Check for exceptions. If you get any, or the image format isn't known,

don't save to disk.

As a rule, you shouldn't accept uploads from anyone you don't trust.
--
Thanks,

Eric Lawrence
Program Manager
Assistance and Worldwide Services

This posting is provided "AS IS" with no warranties, and confers no

rights.

"moondaddy" <mo*******@nospam.com> wrote in message
news:eq**************@tk2msftngp13.phx.gbl...

I have a simple webform where a user can upload images by using an input element of type "file". In the a button's click event in the codebehind

is

this code which saves the file to the server. Everything works OK.

My concern is how can I be sure the user is really uploading an image and

not

a

file with some malicious code in it. Also, can someone tell me what my security concerns are here?

Here's the html:
<form id="Form1" encType="multipart/form-data" runat="server">
Select File to Upload: <input id="uploadedFile" type="file"
name="uploadedFile" runat="server" style="WIDTH: 592px; HEIGHT: 24px"
size="79">
<p><input id="upload" type="button" value="Upload" name="upload"
runat="server">
</p>
<asp:label id="message" runat="server"></asp:label>
</form>
and here's the code behind:
Private Sub upload_ServerClick(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles upload.ServerClick
If Not (uploadedFile.PostedFile Is Nothing) Then
Try
Dim savePath As String = Server.MapPath(".") &

"\images\test\" Dim postedFile = uploadedFile.PostedFile
Dim filename As String = Path.GetFileName(postedFile.FileName) Dim contentType As String = postedFile.ContentType
Dim contentLength As Integer = postedFile.ContentLength
postedFile.SaveAs(savePath & filename)
message.Text = postedFile.Filename & " uploaded" & _
"<br>content type: " & contentType & _
"<br>content length: " & contentLength.ToString()
Catch exc As Exception
message.Text = "Failed uploading file: " &
exc.InnerException.ToString
End Try
End If
End Sub



--
mo*******@nospam.com