473,226 Members | 1,682 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,226 software developers and data experts.

Upload File - test for valid file type

I have a simple webform where a user can upload images by using an input
element of type "file". In the a button's click event in the codebehind is
this code which saves the file to the server. Everything works OK. My
concern is how can I be sure the user is really uploading an image and not a
file with some malicious code in it. Also, can someone tell me what my
security concerns are here?

Here's the html:
<form id="Form1" encType="multipart/form-data" runat="server">
Select File to Upload: <input id="uploadedFile" type="file"
name="uploadedFile" runat="server" style="WIDTH: 592px; HEIGHT: 24px"
size="79">
<p><input id="upload" type="button" value="Upload" name="upload"
runat="server">
</p>
<asp:label id="message" runat="server"></asp:label>
</form>
and here's the code behind:
Private Sub upload_ServerClick(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles upload.ServerClick
If Not (uploadedFile.PostedFile Is Nothing) Then
Try
Dim savePath As String = Server.MapPath(".") & "\images\test\"
Dim postedFile = uploadedFile.PostedFile
Dim filename As String = Path.GetFileName(postedFile.FileName)
Dim contentType As String = postedFile.ContentType
Dim contentLength As Integer = postedFile.ContentLength
postedFile.SaveAs(savePath & filename)
message.Text = postedFile.Filename & " uploaded" & _
"<br>content type: " & contentType & _
"<br>content length: " & contentLength.ToString()
Catch exc As Exception
message.Text = "Failed uploading file: " &
exc.InnerException.ToString
End Try
End If
End Sub



--
mo*******@nospam.com
Nov 18 '05 #1
3 2398
Simplest way:

1> Get the file from the user; verify file size is reasonable (e.g. not
huge)
2> Create an IMAGE object and assign the bytestream to it.
3> Check for exceptions. If you get any, or the image format isn't known,
don't save to disk.

As a rule, you shouldn't accept uploads from anyone you don't trust.
--
Thanks,

Eric Lawrence
Program Manager
Assistance and Worldwide Services

This posting is provided "AS IS" with no warranties, and confers no rights.

"moondaddy" <mo*******@nospam.com> wrote in message
news:eq**************@tk2msftngp13.phx.gbl...
I have a simple webform where a user can upload images by using an input
element of type "file". In the a button's click event in the codebehind is this code which saves the file to the server. Everything works OK. My
concern is how can I be sure the user is really uploading an image and not a file with some malicious code in it. Also, can someone tell me what my
security concerns are here?

Here's the html:
<form id="Form1" encType="multipart/form-data" runat="server">
Select File to Upload: <input id="uploadedFile" type="file"
name="uploadedFile" runat="server" style="WIDTH: 592px; HEIGHT: 24px"
size="79">
<p><input id="upload" type="button" value="Upload" name="upload"
runat="server">
</p>
<asp:label id="message" runat="server"></asp:label>
</form>
and here's the code behind:
Private Sub upload_ServerClick(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles upload.ServerClick
If Not (uploadedFile.PostedFile Is Nothing) Then
Try
Dim savePath As String = Server.MapPath(".") & "\images\test\"
Dim postedFile = uploadedFile.PostedFile
Dim filename As String = Path.GetFileName(postedFile.FileName)
Dim contentType As String = postedFile.ContentType
Dim contentLength As Integer = postedFile.ContentLength
postedFile.SaveAs(savePath & filename)
message.Text = postedFile.Filename & " uploaded" & _
"<br>content type: " & contentType & _
"<br>content length: " & contentLength.ToString()
Catch exc As Exception
message.Text = "Failed uploading file: " &
exc.InnerException.ToString
End Try
End If
End Sub



--
mo*******@nospam.com

Nov 18 '05 #2
Thanks I'll try it. btw: we need to be able to accept uploads from anyone
because its a service where a user uploads an image and then we transpose it
onto a product and ship the product back to them. If I follow your advice
below, are there still thinks a user can do to sabotage our site by
uploading files in this manner?

--
mo*******@nospam.com
"Eric Lawrence [MSFT]" <e_********@hotmail.com> wrote in message
news:%2******************@TK2MSFTNGP11.phx.gbl...
Simplest way:

1> Get the file from the user; verify file size is reasonable (e.g. not
huge)
2> Create an IMAGE object and assign the bytestream to it.
3> Check for exceptions. If you get any, or the image format isn't known,
don't save to disk.

As a rule, you shouldn't accept uploads from anyone you don't trust.
--
Thanks,

Eric Lawrence
Program Manager
Assistance and Worldwide Services

This posting is provided "AS IS" with no warranties, and confers no rights.
"moondaddy" <mo*******@nospam.com> wrote in message
news:eq**************@tk2msftngp13.phx.gbl...
I have a simple webform where a user can upload images by using an input
element of type "file". In the a button's click event in the codebehind is
this code which saves the file to the server. Everything works OK. My
concern is how can I be sure the user is really uploading an image and not a
file with some malicious code in it. Also, can someone tell me what my
security concerns are here?

Here's the html:
<form id="Form1" encType="multipart/form-data" runat="server">
Select File to Upload: <input id="uploadedFile" type="file"
name="uploadedFile" runat="server" style="WIDTH: 592px; HEIGHT: 24px"
size="79">
<p><input id="upload" type="button" value="Upload" name="upload"
runat="server">
</p>
<asp:label id="message" runat="server"></asp:label>
</form>
and here's the code behind:
Private Sub upload_ServerClick(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles upload.ServerClick
If Not (uploadedFile.PostedFile Is Nothing) Then
Try
Dim savePath As String = Server.MapPath(".") &

"\images\test\" Dim postedFile = uploadedFile.PostedFile
Dim filename As String = Path.GetFileName(postedFile.FileName) Dim contentType As String = postedFile.ContentType
Dim contentLength As Integer = postedFile.ContentLength
postedFile.SaveAs(savePath & filename)
message.Text = postedFile.Filename & " uploaded" & _
"<br>content type: " & contentType & _
"<br>content length: " & contentLength.ToString()
Catch exc As Exception
message.Text = "Failed uploading file: " &
exc.InnerException.ToString
End Try
End If
End Sub



--
mo*******@nospam.com


Nov 18 '05 #3
No exploit that I know of, unless a bug is found in the .NET image loader
code.

--
Thanks,

Eric Lawrence
Program Manager
Assistance and Worldwide Services

This posting is provided "AS IS" with no warranties, and confers no rights.

"moondaddy" <mo*******@nospam.com> wrote in message
news:u5**************@TK2MSFTNGP12.phx.gbl...
Thanks I'll try it. btw: we need to be able to accept uploads from anyone because its a service where a user uploads an image and then we transpose it onto a product and ship the product back to them. If I follow your advice
below, are there still thinks a user can do to sabotage our site by
uploading files in this manner?

--
mo*******@nospam.com
"Eric Lawrence [MSFT]" <e_********@hotmail.com> wrote in message
news:%2******************@TK2MSFTNGP11.phx.gbl...
Simplest way:

1> Get the file from the user; verify file size is reasonable (e.g. not
huge)
2> Create an IMAGE object and assign the bytestream to it.
3> Check for exceptions. If you get any, or the image format isn't known,
don't save to disk.

As a rule, you shouldn't accept uploads from anyone you don't trust.
--
Thanks,

Eric Lawrence
Program Manager
Assistance and Worldwide Services

This posting is provided "AS IS" with no warranties, and confers no

rights.

"moondaddy" <mo*******@nospam.com> wrote in message
news:eq**************@tk2msftngp13.phx.gbl...
I have a simple webform where a user can upload images by using an input element of type "file". In the a button's click event in the codebehind
is
this code which saves the file to the server. Everything works OK.

My concern is how can I be sure the user is really uploading an image and

not
a
file with some malicious code in it. Also, can someone tell me what my security concerns are here?

Here's the html:
<form id="Form1" encType="multipart/form-data" runat="server">
Select File to Upload: <input id="uploadedFile" type="file"
name="uploadedFile" runat="server" style="WIDTH: 592px; HEIGHT: 24px"
size="79">
<p><input id="upload" type="button" value="Upload" name="upload"
runat="server">
</p>
<asp:label id="message" runat="server"></asp:label>
</form>
and here's the code behind:
Private Sub upload_ServerClick(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles upload.ServerClick
If Not (uploadedFile.PostedFile Is Nothing) Then
Try
Dim savePath As String = Server.MapPath(".") &

"\images\test\" Dim postedFile = uploadedFile.PostedFile
Dim filename As String = Path.GetFileName(postedFile.FileName) Dim contentType As String = postedFile.ContentType
Dim contentLength As Integer = postedFile.ContentLength
postedFile.SaveAs(savePath & filename)
message.Text = postedFile.Filename & " uploaded" & _
"<br>content type: " & contentType & _
"<br>content length: " & contentLength.ToString()
Catch exc As Exception
message.Text = "Failed uploading file: " &
exc.InnerException.ToString
End Try
End If
End Sub



--
mo*******@nospam.com



Nov 18 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
by: Philippe Lemmerling | last post by:
I have a question concerning security of my file upload script. I'm using the php upload routines (move_uploaded_file,...) and variables ($_FILES) to upload images to a webdirectory. Everything...
3
by: dave | last post by:
Hello there, I am at my wit's end ! I have used the following script succesfully to upload an image to my web space. But what I really want to be able to do is to update an existing record in a...
2
by: chuckdfoster | last post by:
I have a page that users upload files. Is there a way to restrict the file types that they can upload? thanks, -- Chuck Foster Programmer Analyst Eclipsys Corporation - St. Vincent Health...
9
by: Wayne Smith | last post by:
I've come up against a major headache that I can't seem to find a solution for but I'm sure there must be a workaround and I would really be grateful of any help. I'm currently building a web...
3
by: Jefferis NoSpamme | last post by:
Hello all, I'm trying to limit the file size to 1 meg on upload of image files and I am trying a script from javascript internet, but it is giving me errors on IE is null or not an object ...
9
by: 8anos | last post by:
Hello, I am new at the community and newbie at programming :) As you may know rapidshare provides a perl script for linux, to upload files at their servers. You can find the original scripts at...
6
by: Bob | last post by:
Hello everyone !!! I have a very neat script to download files to the server, the problem is that it uploads all kind of files, txt, exe, zip, you name it. I have been trying to add some code but...
2
by: Lastknight | last post by:
hi all, i have seen a program from web that is used to upload a file from particular directory.. My problem is that they have mentioned some file directory name in the program but when i am running...
21
KevinADC
by: KevinADC | last post by:
Note: You may skip to the end of the article if all you want is the perl code. Introduction Uploading files from a local computer to a remote web server has many useful purposes, the most...
0
by: veera ravala | last post by:
ServiceNow is a powerful cloud-based platform that offers a wide range of services to help organizations manage their workflows, operations, and IT services more efficiently. At its core, ServiceNow...
0
by: VivesProcSPL | last post by:
Obviously, one of the original purposes of SQL is to make data query processing easy. The language uses many English-like terms and syntax in an effort to make it easy to learn, particularly for...
3
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 3 Jan 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). For other local times, please check World Time Buddy In...
0
by: jianzs | last post by:
Introduction Cloud-native applications are conventionally identified as those designed and nurtured on cloud infrastructure. Such applications, rooted in cloud technologies, skillfully benefit from...
0
by: mar23 | last post by:
Here's the situation. I have a form called frmDiceInventory with subform called subfrmDice. The subform's control source is linked to a query called qryDiceInventory. I've been trying to pick up the...
0
by: abbasky | last post by:
### Vandf component communication method one: data sharing ​ Vandf components can achieve data exchange through data sharing, state sharing, events, and other methods. Vandf's data exchange method...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
0
by: fareedcanada | last post by:
Hello I am trying to split number on their count. suppose i have 121314151617 (12cnt) then number should be split like 12,13,14,15,16,17 and if 11314151617 (11cnt) then should be split like...
0
by: stefan129 | last post by:
Hey forum members, I'm exploring options for SSL certificates for multiple domains. Has anyone had experience with multi-domain SSL certificates? Any recommendations on reliable providers or specific...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.