468,771 Members | 1,894 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,771 developers. It's quick & easy.

Upload File - test for valid file type

I have a simple webform where a user can upload images by using an input
element of type "file". In the a button's click event in the codebehind is
this code which saves the file to the server. Everything works OK. My
concern is how can I be sure the user is really uploading an image and not a
file with some malicious code in it. Also, can someone tell me what my
security concerns are here?

Here's the html:
<form id="Form1" encType="multipart/form-data" runat="server">
Select File to Upload: <input id="uploadedFile" type="file"
name="uploadedFile" runat="server" style="WIDTH: 592px; HEIGHT: 24px"
size="79">
<p><input id="upload" type="button" value="Upload" name="upload"
runat="server">
</p>
<asp:label id="message" runat="server"></asp:label>
</form>
and here's the code behind:
Private Sub upload_ServerClick(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles upload.ServerClick
If Not (uploadedFile.PostedFile Is Nothing) Then
Try
Dim savePath As String = Server.MapPath(".") & "\images\test\"
Dim postedFile = uploadedFile.PostedFile
Dim filename As String = Path.GetFileName(postedFile.FileName)
Dim contentType As String = postedFile.ContentType
Dim contentLength As Integer = postedFile.ContentLength
postedFile.SaveAs(savePath & filename)
message.Text = postedFile.Filename & " uploaded" & _
"<br>content type: " & contentType & _
"<br>content length: " & contentLength.ToString()
Catch exc As Exception
message.Text = "Failed uploading file: " &
exc.InnerException.ToString
End Try
End If
End Sub



--
mo*******@nospam.com
Nov 18 '05 #1
3 2169
Simplest way:

1> Get the file from the user; verify file size is reasonable (e.g. not
huge)
2> Create an IMAGE object and assign the bytestream to it.
3> Check for exceptions. If you get any, or the image format isn't known,
don't save to disk.

As a rule, you shouldn't accept uploads from anyone you don't trust.
--
Thanks,

Eric Lawrence
Program Manager
Assistance and Worldwide Services

This posting is provided "AS IS" with no warranties, and confers no rights.

"moondaddy" <mo*******@nospam.com> wrote in message
news:eq**************@tk2msftngp13.phx.gbl...
I have a simple webform where a user can upload images by using an input
element of type "file". In the a button's click event in the codebehind is this code which saves the file to the server. Everything works OK. My
concern is how can I be sure the user is really uploading an image and not a file with some malicious code in it. Also, can someone tell me what my
security concerns are here?

Here's the html:
<form id="Form1" encType="multipart/form-data" runat="server">
Select File to Upload: <input id="uploadedFile" type="file"
name="uploadedFile" runat="server" style="WIDTH: 592px; HEIGHT: 24px"
size="79">
<p><input id="upload" type="button" value="Upload" name="upload"
runat="server">
</p>
<asp:label id="message" runat="server"></asp:label>
</form>
and here's the code behind:
Private Sub upload_ServerClick(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles upload.ServerClick
If Not (uploadedFile.PostedFile Is Nothing) Then
Try
Dim savePath As String = Server.MapPath(".") & "\images\test\"
Dim postedFile = uploadedFile.PostedFile
Dim filename As String = Path.GetFileName(postedFile.FileName)
Dim contentType As String = postedFile.ContentType
Dim contentLength As Integer = postedFile.ContentLength
postedFile.SaveAs(savePath & filename)
message.Text = postedFile.Filename & " uploaded" & _
"<br>content type: " & contentType & _
"<br>content length: " & contentLength.ToString()
Catch exc As Exception
message.Text = "Failed uploading file: " &
exc.InnerException.ToString
End Try
End If
End Sub



--
mo*******@nospam.com

Nov 18 '05 #2
Thanks I'll try it. btw: we need to be able to accept uploads from anyone
because its a service where a user uploads an image and then we transpose it
onto a product and ship the product back to them. If I follow your advice
below, are there still thinks a user can do to sabotage our site by
uploading files in this manner?

--
mo*******@nospam.com
"Eric Lawrence [MSFT]" <e_********@hotmail.com> wrote in message
news:%2******************@TK2MSFTNGP11.phx.gbl...
Simplest way:

1> Get the file from the user; verify file size is reasonable (e.g. not
huge)
2> Create an IMAGE object and assign the bytestream to it.
3> Check for exceptions. If you get any, or the image format isn't known,
don't save to disk.

As a rule, you shouldn't accept uploads from anyone you don't trust.
--
Thanks,

Eric Lawrence
Program Manager
Assistance and Worldwide Services

This posting is provided "AS IS" with no warranties, and confers no rights.
"moondaddy" <mo*******@nospam.com> wrote in message
news:eq**************@tk2msftngp13.phx.gbl...
I have a simple webform where a user can upload images by using an input
element of type "file". In the a button's click event in the codebehind is
this code which saves the file to the server. Everything works OK. My
concern is how can I be sure the user is really uploading an image and not a
file with some malicious code in it. Also, can someone tell me what my
security concerns are here?

Here's the html:
<form id="Form1" encType="multipart/form-data" runat="server">
Select File to Upload: <input id="uploadedFile" type="file"
name="uploadedFile" runat="server" style="WIDTH: 592px; HEIGHT: 24px"
size="79">
<p><input id="upload" type="button" value="Upload" name="upload"
runat="server">
</p>
<asp:label id="message" runat="server"></asp:label>
</form>
and here's the code behind:
Private Sub upload_ServerClick(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles upload.ServerClick
If Not (uploadedFile.PostedFile Is Nothing) Then
Try
Dim savePath As String = Server.MapPath(".") &

"\images\test\" Dim postedFile = uploadedFile.PostedFile
Dim filename As String = Path.GetFileName(postedFile.FileName) Dim contentType As String = postedFile.ContentType
Dim contentLength As Integer = postedFile.ContentLength
postedFile.SaveAs(savePath & filename)
message.Text = postedFile.Filename & " uploaded" & _
"<br>content type: " & contentType & _
"<br>content length: " & contentLength.ToString()
Catch exc As Exception
message.Text = "Failed uploading file: " &
exc.InnerException.ToString
End Try
End If
End Sub



--
mo*******@nospam.com


Nov 18 '05 #3
No exploit that I know of, unless a bug is found in the .NET image loader
code.

--
Thanks,

Eric Lawrence
Program Manager
Assistance and Worldwide Services

This posting is provided "AS IS" with no warranties, and confers no rights.

"moondaddy" <mo*******@nospam.com> wrote in message
news:u5**************@TK2MSFTNGP12.phx.gbl...
Thanks I'll try it. btw: we need to be able to accept uploads from anyone because its a service where a user uploads an image and then we transpose it onto a product and ship the product back to them. If I follow your advice
below, are there still thinks a user can do to sabotage our site by
uploading files in this manner?

--
mo*******@nospam.com
"Eric Lawrence [MSFT]" <e_********@hotmail.com> wrote in message
news:%2******************@TK2MSFTNGP11.phx.gbl...
Simplest way:

1> Get the file from the user; verify file size is reasonable (e.g. not
huge)
2> Create an IMAGE object and assign the bytestream to it.
3> Check for exceptions. If you get any, or the image format isn't known,
don't save to disk.

As a rule, you shouldn't accept uploads from anyone you don't trust.
--
Thanks,

Eric Lawrence
Program Manager
Assistance and Worldwide Services

This posting is provided "AS IS" with no warranties, and confers no

rights.

"moondaddy" <mo*******@nospam.com> wrote in message
news:eq**************@tk2msftngp13.phx.gbl...
I have a simple webform where a user can upload images by using an input element of type "file". In the a button's click event in the codebehind
is
this code which saves the file to the server. Everything works OK.

My concern is how can I be sure the user is really uploading an image and

not
a
file with some malicious code in it. Also, can someone tell me what my security concerns are here?

Here's the html:
<form id="Form1" encType="multipart/form-data" runat="server">
Select File to Upload: <input id="uploadedFile" type="file"
name="uploadedFile" runat="server" style="WIDTH: 592px; HEIGHT: 24px"
size="79">
<p><input id="upload" type="button" value="Upload" name="upload"
runat="server">
</p>
<asp:label id="message" runat="server"></asp:label>
</form>
and here's the code behind:
Private Sub upload_ServerClick(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles upload.ServerClick
If Not (uploadedFile.PostedFile Is Nothing) Then
Try
Dim savePath As String = Server.MapPath(".") &

"\images\test\" Dim postedFile = uploadedFile.PostedFile
Dim filename As String = Path.GetFileName(postedFile.FileName) Dim contentType As String = postedFile.ContentType
Dim contentLength As Integer = postedFile.ContentLength
postedFile.SaveAs(savePath & filename)
message.Text = postedFile.Filename & " uploaded" & _
"<br>content type: " & contentType & _
"<br>content length: " & contentLength.ToString()
Catch exc As Exception
message.Text = "Failed uploading file: " &
exc.InnerException.ToString
End Try
End If
End Sub



--
mo*******@nospam.com



Nov 18 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

3 posts views Thread by Philippe Lemmerling | last post: by
3 posts views Thread by dave | last post: by
2 posts views Thread by chuckdfoster | last post: by
9 posts views Thread by Wayne Smith | last post: by
3 posts views Thread by Jefferis NoSpamme | last post: by
6 posts views Thread by Bob | last post: by
2 posts views Thread by Lastknight | last post: by
1 post views Thread by CARIGAR | last post: by
reply views Thread by zhoujie | last post: by
1 post views Thread by Marin | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.