Upload File - test for valid file type

Re: Upload File - test for valid file type

Simplest way:

1> Get the file from the user; verify file size is reasonable (e.g. not
huge)
2> Create an IMAGE object and assign the bytestream to it.
3> Check for exceptions. If you get any, or the image format isn't known,
don't save to disk.

As a rule, you shouldn't accept uploads from anyone you don't trust.


--
Thanks,

Eric Lawrence
Program Manager
Assistance and Worldwide Services

This posting is provided "AS IS" with no warranties, and confers no rights.

"moondaddy" <moondaddy@nosp am.com> wrote in message
news:eqIyg129DH A.3436@tk2msftn gp13.phx.gbl...[color=blue]
> I have a simple webform where a user can upload images by using an input
> element of type "file". In the a button's click event in the codebehind[/color]
is[color=blue]
> this code which saves the file to the server. Everything works OK. My
> concern is how can I be sure the user is really uploading an image and not[/color]
a[color=blue]
> file with some malicious code in it. Also, can someone tell me what my
> security concerns are here?
>
> Here's the html:
> <form id="Form1" encType="multip art/form-data" runat="server">
> Select File to Upload: <input id="uploadedFil e" type="file"
> name="uploadedF ile" runat="server" style="WIDTH: 592px; HEIGHT: 24px"
> size="79">
> <p><input id="upload" type="button" value="Upload" name="upload"
> runat="server">
> </p>
> <asp:label id="message" runat="server"> </asp:label>
> </form>
>
>
> and here's the code behind:
> Private Sub upload_ServerCl ick(ByVal sender As System.Object, ByVal e As
> System.EventArg s) Handles upload.ServerCl ick
> If Not (uploadedFile.P ostedFile Is Nothing) Then
> Try
> Dim savePath As String = Server.MapPath( ".") & "\images\te st\"
> Dim postedFile = uploadedFile.Po stedFile
> Dim filename As String = Path.GetFileNam e(postedFile.Fi leName)
> Dim contentType As String = postedFile.Cont entType
> Dim contentLength As Integer = postedFile.Cont entLength
> postedFile.Save As(savePath & filename)
> message.Text = postedFile.File name & " uploaded" & _
> "<br>conten t type: " & contentType & _
> "<br>conten t length: " & contentLength.T oString()
> Catch exc As Exception
> message.Text = "Failed uploading file: " &
> exc.InnerExcept ion.ToString
> End Try
> End If
> End Sub
>
>
>
>
>
>
>
> --
> moondaddy@nospa m.com
>
>[/color]

Re: Upload File - test for valid file type

Thanks I'll try it. btw: we need to be able to accept uploads from anyone
because its a service where a user uploads an image and then we transpose it
onto a product and ship the product back to them. If I follow your advice
below, are there still thinks a user can do to sabotage our site by
uploading files in this manner?

--
moondaddy@nospa m.com
"Eric Lawrence [MSFT]" <e_lawrence@hot mail.com> wrote in message
news:%23x%23RfH 59DHA.3648@TK2M SFTNGP11.phx.gb l...[color=blue]
> Simplest way:
>
> 1> Get the file from the user; verify file size is reasonable (e.g. not
> huge)
> 2> Create an IMAGE object and assign the bytestream to it.
> 3> Check for exceptions. If you get any, or the image format isn't known,
> don't save to disk.
>
> As a rule, you shouldn't accept uploads from anyone you don't trust.
>
>
> --
> Thanks,
>
> Eric Lawrence
> Program Manager
> Assistance and Worldwide Services
>
> This posting is provided "AS IS" with no warranties, and confers no[/color]
rights.[color=blue]
>
> "moondaddy" <moondaddy@nosp am.com> wrote in message
> news:eqIyg129DH A.3436@tk2msftn gp13.phx.gbl...[color=green]
> > I have a simple webform where a user can upload images by using an input
> > element of type "file". In the a button's click event in the codebehind[/color]
> is[color=green]
> > this code which saves the file to the server. Everything works OK. My
> > concern is how can I be sure the user is really uploading an image and[/color][/color]
not[color=blue]
> a[color=green]
> > file with some malicious code in it. Also, can someone tell me what my
> > security concerns are here?
> >
> > Here's the html:
> > <form id="Form1" encType="multip art/form-data" runat="server">
> > Select File to Upload: <input id="uploadedFil e" type="file"
> > name="uploadedF ile" runat="server" style="WIDTH: 592px; HEIGHT: 24px"
> > size="79">
> > <p><input id="upload" type="button" value="Upload" name="upload"
> > runat="server">
> > </p>
> > <asp:label id="message" runat="server"> </asp:label>
> > </form>
> >
> >
> > and here's the code behind:
> > Private Sub upload_ServerCl ick(ByVal sender As System.Object, ByVal e As
> > System.EventArg s) Handles upload.ServerCl ick
> > If Not (uploadedFile.P ostedFile Is Nothing) Then
> > Try
> > Dim savePath As String = Server.MapPath( ".") &[/color][/color]
"\images\te st\"[color=blue][color=green]
> > Dim postedFile = uploadedFile.Po stedFile
> > Dim filename As String =[/color][/color]
Path.GetFileNam e(postedFile.Fi leName)[color=blue][color=green]
> > Dim contentType As String = postedFile.Cont entType
> > Dim contentLength As Integer = postedFile.Cont entLength
> > postedFile.Save As(savePath & filename)
> > message.Text = postedFile.File name & " uploaded" & _
> > "<br>conten t type: " & contentType & _
> > "<br>conten t length: " & contentLength.T oString()
> > Catch exc As Exception
> > message.Text = "Failed uploading file: " &
> > exc.InnerExcept ion.ToString
> > End Try
> > End If
> > End Sub
> >
> >
> >
> >
> >
> >
> >
> > --
> > moondaddy@nospa m.com
> >
> >[/color]
>
>[/color]

Re: Upload File - test for valid file type

No exploit that I know of, unless a bug is found in the .NET image loader
code.

--
Thanks,

Eric Lawrence
Program Manager
Assistance and Worldwide Services

This posting is provided "AS IS" with no warranties, and confers no rights.

"moondaddy" <moondaddy@nosp am.com> wrote in message
news:u50cI479DH A.1804@TK2MSFTN GP12.phx.gbl...[color=blue]
> Thanks I'll try it. btw: we need to be able to accept uploads from[/color]
anyone[color=blue]
> because its a service where a user uploads an image and then we transpose[/color]
it[color=blue]
> onto a product and ship the product back to them. If I follow your advice
> below, are there still thinks a user can do to sabotage our site by
> uploading files in this manner?
>
> --
> moondaddy@nospa m.com
> "Eric Lawrence [MSFT]" <e_lawrence@hot mail.com> wrote in message
> news:%23x%23RfH 59DHA.3648@TK2M SFTNGP11.phx.gb l...[color=green]
> > Simplest way:
> >
> > 1> Get the file from the user; verify file size is reasonable (e.g. not
> > huge)
> > 2> Create an IMAGE object and assign the bytestream to it.
> > 3> Check for exceptions. If you get any, or the image format isn't[/color][/color]
known,[color=blue][color=green]
> > don't save to disk.
> >
> > As a rule, you shouldn't accept uploads from anyone you don't trust.
> >
> >
> > --
> > Thanks,
> >
> > Eric Lawrence
> > Program Manager
> > Assistance and Worldwide Services
> >
> > This posting is provided "AS IS" with no warranties, and confers no[/color]
> rights.[color=green]
> >
> > "moondaddy" <moondaddy@nosp am.com> wrote in message
> > news:eqIyg129DH A.3436@tk2msftn gp13.phx.gbl...[color=darkred]
> > > I have a simple webform where a user can upload images by using an[/color][/color][/color]
input[color=blue][color=green][color=darkred]
> > > element of type "file". In the a button's click event in the[/color][/color][/color]
codebehind[color=blue][color=green]
> > is[color=darkred]
> > > this code which saves the file to the server. Everything works OK.[/color][/color][/color]
My[color=blue][color=green][color=darkred]
> > > concern is how can I be sure the user is really uploading an image and[/color][/color]
> not[color=green]
> > a[color=darkred]
> > > file with some malicious code in it. Also, can someone tell me what[/color][/color][/color]
my[color=blue][color=green][color=darkred]
> > > security concerns are here?
> > >
> > > Here's the html:
> > > <form id="Form1" encType="multip art/form-data" runat="server">
> > > Select File to Upload: <input id="uploadedFil e" type="file"
> > > name="uploadedF ile" runat="server" style="WIDTH: 592px; HEIGHT: 24px"
> > > size="79">
> > > <p><input id="upload" type="button" value="Upload" name="upload"
> > > runat="server">
> > > </p>
> > > <asp:label id="message" runat="server"> </asp:label>
> > > </form>
> > >
> > >
> > > and here's the code behind:
> > > Private Sub upload_ServerCl ick(ByVal sender As System.Object, ByVal e[/color][/color][/color]
As[color=blue][color=green][color=darkred]
> > > System.EventArg s) Handles upload.ServerCl ick
> > > If Not (uploadedFile.P ostedFile Is Nothing) Then
> > > Try
> > > Dim savePath As String = Server.MapPath( ".") &[/color][/color]
> "\images\te st\"[color=green][color=darkred]
> > > Dim postedFile = uploadedFile.Po stedFile
> > > Dim filename As String =[/color][/color]
> Path.GetFileNam e(postedFile.Fi leName)[color=green][color=darkred]
> > > Dim contentType As String = postedFile.Cont entType
> > > Dim contentLength As Integer = postedFile.Cont entLength
> > > postedFile.Save As(savePath & filename)
> > > message.Text = postedFile.File name & " uploaded" & _
> > > "<br>conten t type: " & contentType & _
> > > "<br>conten t length: " & contentLength.T oString()
> > > Catch exc As Exception
> > > message.Text = "Failed uploading file: " &
> > > exc.InnerExcept ion.ToString
> > > End Try
> > > End If
> > > End Sub
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > > moondaddy@nospa m.com
> > >
> > >[/color]
> >
> >[/color]
>
>[/color]