Upload File - test for valid file type

[moondaddy]

I have a simple webform where a user can upload images by using an input
element of type "file". In the a button's click event in the codebehind is
this code which saves the file to the server. Everything works OK. My
concern is how can I be sure the user is really uploading an image and not a
file with some malicious code in it. Also, can someone tell me what my
security concerns are here?

Here's the html:
<form id="Form1" encType="multipart/form-data" runat="server">
Select File to Upload: <input id="uploadedFile" type="file"
name="uploadedFile" runat="server" style="WIDTH: 592px; HEIGHT: 24px"
size="79">
<p><input id="upload" type="button" value="Upload" name="upload"
runat="server">
</p>
<asp:label id="message" runat="server"></asp:label>
</form>


and here's the code behind:
Private Sub upload_ServerClick(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles upload.ServerClick
If Not (uploadedFile.PostedFile Is Nothing) Then
Try
Dim savePath As String = Server.MapPath(".") & "\images\test\"
Dim postedFile = uploadedFile.PostedFile
Dim filename As String = Path.GetFileName(postedFile.FileName)
Dim contentType As String = postedFile.ContentType
Dim contentLength As Integer = postedFile.ContentLength
postedFile.SaveAs(savePath & filename)
message.Text = postedFile.Filename & " uploaded" & _
"<br>content type: " & contentType & _
"<br>content length: " & contentLength.ToString()
Catch exc As Exception
message.Text = "Failed uploading file: " &
exc.InnerException.ToString
End Try
End If
End Sub

 

[Eric Lawrence [MSFT]]

Simplest way:

1> Get the file from the user; verify file size is reasonable (e.g. not
huge)
2> Create an IMAGE object and assign the bytestream to it.
3> Check for exceptions. If you get any, or the image format isn't known,
don't save to disk.

As a rule, you shouldn't accept uploads from anyone you don't trust.


--
Thanks,

Eric Lawrence
Program Manager
Assistance and Worldwide Services

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[moondaddy]

Thanks I'll try it. btw: we need to be able to accept uploads from anyone
because its a service where a user uploads an image and then we transpose it
onto a product and ship the product back to them. If I follow your advice
below, are there still thinks a user can do to sabotage our site by
uploading files in this manner?

--
(e-mail address removed)

Simplest way:

1> Get the file from the user; verify file size is reasonable (e.g. not
huge)
2> Create an IMAGE object and assign the bytestream to it.
3> Check for exceptions. If you get any, or the image format isn't known,
don't save to disk.

As a rule, you shouldn't accept uploads from anyone you don't trust.


--
Thanks,

Eric Lawrence
Program Manager
Assistance and Worldwide Services

This posting is provided "AS IS" with no warranties, and confers no rights.

I have a simple webform where a user can upload images by using an input
element of type "file". In the a button's click event in the codebehind is
this code which saves the file to the server. Everything works OK. My
concern is how can I be sure the user is really uploading an image and

not

 

[Eric Lawrence [MSFT]]

No exploit that I know of, unless a bug is found in the .NET image loader
code.

--
Thanks,

Eric Lawrence
Program Manager
Assistance and Worldwide Services

This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks I'll try it. btw: we need to be able to accept uploads from anyone
because its a service where a user uploads an image and then we transpose it
onto a product and ship the product back to them. If I follow your advice
below, are there still thinks a user can do to sabotage our site by
uploading files in this manner?