what is the best way to verify an uploaded image is indeed an imag

[Guest]

Hi,

I have a web app that allows others to upload files, and the problem is that
if I allow users to upload image files, fake image can be uploaded and cause
XSS issues.

In the app, I do check image dimension when uploaded so that any fake image
that is actually a text file is blocked (user renames a .txt to .gif, e.g.).

However, a png file renamed to .gif can contain script that when loaded
directly in IE (type the image URL in IE and hit enter, e.g.), the embeded
script is executed by IE's JS engine. Dimension check always return valid
height and width so it does not help prevent the issue.

So, my question is: What's the best way to verify an uploaded image's true
identity? I mean, how do i determine when an uploaded image ends with .gif,
it is indeed a valid GIF file (and so on for other common image types used on
the web)? Is there a .NET method that can be used to verify the identity?

I am using

g = System.Drawing.Image.FromFile(theFilePath)
height_ = g.Height
Width_ = g.Width

and it does not help the situation I mentioned above.

 

[Walter Wang [MSFT]]

Hi,

You should check the uploaded file's ContentType to determine the real file
type, the ContentType will return "image/x-png" for a PNG file and
"image/gif" for a GIF file regardless the file extension:

protected void Button1_Click(object sender, EventArgs e)
{
if (FileUpload1.HasFile)
{
string ct = FileUpload1.PostedFile.ContentType;
Response.Write(ct);
}
}


Hope this helps.


Sincerely,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications. If you are using Outlook Express, please make sure you clear the
check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
promptly.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Hi,

This does not work either. Firefox always sends Mime type based on file
extension. IE does send Mime type regardless of file extension, but this
solution only works if all your clients use IE.

Isn't there a way to verify image on the server side?

 

[Walter Wang [MSFT]]

Hi,

Thank you for your quick update. I understand that the MIME ContentType
approach is not what you wanted. I will do some further research to see if
there's any other methods.

By the way, I'm not able to find the issue you mentioned that IE will load
a .PNG file faked in .GIF file type and the script will be executed by
JScript engine. Would you please let me know where you see the information
on this? Thanks.

Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Howdy,

After image is successfully loaded from the stream check the RawFormat
property to find out what’s the real image format

if (g.RawFormat == System.Drawing.Imaging.Png)
{
}

hope this helps

 

[Walter Wang [MSFT]]

Thank Milosz for your input.

You're right that to determine the real image type, we could check the
RawFormat property of Image class. The ImageFormat
(http://msdn2.microsoft.com/en-us/library/system.drawing.imaging.imageformat
..aspx) class ( uses GDI+ Image::GetRawFormat
(http://msdn2.microsoft.com/en-us/library/ms535393.aspx) which uses a GUID
to uniquely identify an image format.


Here's some code to test it:


string dir = Path.Combine(AppDomain.CurrentDomain.BaseDirectory,
@"..\..\..\");

Console.WriteLine("Png: " + ImageFormat.Png.Guid);
Console.WriteLine("Gif: " + ImageFormat.Gif.Guid);

string[] files = { "real.png", "real.gif", "fake.png", "fake.gif" };
Image[] imgs = new Image[files.Length];
for (int i = 0; i < files.Length; i++)
{
imgs = Image.FromFile(dir + files);
Console.WriteLine(files + ": " + imgs.RawFormat.Guid);

if (imgs.RawFormat.Guid == ImageFormat.Png.Guid)
{
Console.WriteLine(files + ": PNG");
}
else if (imgs.RawFormat.Guid == ImageFormat.Gif.Guid)
{
Console.WriteLine(files + ": GIF");
}
}


Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Thanks all for your input. Indeed, this method of checking the Rawformat does
prevent renaming png to a gif, but it does not prevent a javascript
containing png to be uploaded as .png (no renaming). png containing
javascript code passes the Rawformat check.

IE issue can be seen here (I uploaded the file to my server). Just use IE to
view it:

http://www.sam-alice.com/fakegif_png.gif

this file is actually a png file (renamed to gif), and if you check it using
the Rawformat method, it is of imageformat.png

 

[Walter Wang [MSFT]]

PNG is not officially supported in IE6 and before. I think there's some
broken and incomplete support caused the issue. I have confirmed with
product team that we now have full support for PNG in IE7. I just verified
that this issue no longer exist in IE7.

Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

WRONG. The problem still exists in IE7. Did you check the link I gave you
using IE7?

Just copy and paste the link into IE7's address bar and hit enter, and you
will see a message popup.

 

[Walter Wang [MSFT]]

Yes I've tested it in IE7 on Windows XP SP2. Visiting the URL shows some
symbols and script in window but no script is executed.

Exact IE7 builder number in about is 7.0.5730.11; what's yours?

Let me know your environment and I will try to find a similar environment
to test again. Thanks.


Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Walter Wang [MSFT]]

Sorry. I tested it on Vista again with IE7 build 7.0.6000.16386 and it did
execute the script.

I'll report this to product team. Thank you for your feedback!

Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

I am using 7.0.5730.11 too on Windows XP. You did not see the script probably
because you have something installed on your IE that prevents javascript from
executing.

Test it with a pure IE environment and you will see the script in windows XP
too.

 

[Walter Wang [MSFT]]

Hi,

Sorry for delayed reply. I was consulting this question with product team.

This is actually by design behavior and is controlled by the per zone
setting titled "Open files based on content, not file extension" which is
mime sniffing. Mime sniffing is the default behavior in the internet zone.

http://blogs.msdn.com/ie/archive/2005/02/01/364581.aspx

http://msdn.microsoft.com/library/default.asp?url=/workshop/networking/monik
er/overview/appendix_a.asp


Since the mime sniffing behavior is turned on by default on client-side for
internet zone, I'm afraid the only solution here is to verify the mime of
uploaded file on the server, if it's not the correct one with the file
extension, then reject the file and prompt the user. The GDI+ Image class
is not helping here since the file is actually a valid PNG file for it.
I'll do further research to see if there's any better workaround.


Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

============================================
I'm afraid the only solution here is to verify the mime of
uploaded file on the server, if it's not the correct one with the file
extension, then reject the file and prompt the user.
============================================

I understand this, but it is an IE only solution because as I said, Firefox
does not do such upload Mime type reporting and always report to the server
based on file extension.

The fake png is reported as text/html by IE, so I can reject it on the
server, but is reported as image/png by Firefox.

By the way, I don't think Mime type sniffing is working correctly in IE
because:

1) if you use the html img tag to embed the fake png in a document, the code
does not get executed, and a broken image is shown.

2) The code is only executed if you load the file directly using the address
bar.

3) My server reported the content-type as image/gif for the fake png (you
can verify it yourself)

If sniffing is done correctly, IE shouldn't sniff at all because server
response is regarded as authoritative in this document:
http://blogs.msdn.com/ie/archive/2005/02/01/364581.aspx

If everything that is said in the above document is true still in IE 7, then
IE does not handle gif image correctly. Why does it execute code for a GIF
image?

 

[Walter Wang [MSFT]]

1) if you use the html img tag to embed the fake png in a document, the
code does not get executed, and a broken image is shown.

2) The code is only executed if you load the file directly using the

address
bar.

If you have an image tag pointing at an image, that we know that the web
page author is intending this to be an image. Based on that we can pass it
off to our image processing libraries and it can tell us if it is a valid
png/gif/jpg/etc and render it as such and those libraries don't know what
to do with script anyway. Eventually they just give us a bit map back to
display and not the html/script. If the website doesn't use an image tag
for the image, then IE has to determine what it is first and in steps mime
sniffing to do this.

3) My server reported the content-type as image/gif for the fake png (you can verify it yourself)
> If sniffing is done correctly, IE shouldn't sniff at all because server

response is regarded as authoritative in this document:
http://blogs.msdn.com/ie/archive/2005/02/01/364581.aspx


We've tried to use the server response as authoritative but due to web
compat problems, mime sniffing is still the default setting in IE7.


I'm currently still discussing with a IE developer on this issue. I'll keep
you posted when I get further information on this. Thanks.

Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.