Click here to Skip to main content
15,893,266 members
Search within:


How to check original file mime type
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
C#
MVC4
Mandiant was able to upload a document with filetype that is not allowed, bypassing current filters.
The file upload pages only checked the file extension to permit or deny the upload. This method ignores the actual content of the file and the potential danger posed to employees responsible for interacting with the content.

How to implement file header inspection to verify the content in the upload will be interpreted as an image regardless of the application used.

What I have tried:

Checked MIMETYPE and headers in javascript
Posted
Updated 18-Jan-17 3:37am
Add a Solution
Comments
Richard MacCutchan 18-Jan-17 8:47am    
You can never guarantee that a file is the correct type, even after inspecting its contents. Some files contain specific header identifiers that you can look for, but any other file may contain the same sequence. Accept that the user (mostly) knows what they are doing, and leave it at that.
F-ES Sitecore 18-Jan-17 9:47am    
You've just learned why javascript validation is a nice-to-have but server validation is mandatory.
Member-515487 19-Jan-17 1:25am    
How can closed this security defect
i am checking on client side extension also server side
is there any other way to get it done

user uploading file after changing extension

1 solution

If only a few file types like images should be supported you can write a function checking for "magic bytes".

Such a function will usually read a fixed number of bytes from the beginning of the file and search for the magic bytes at file type specific positions.

The Linux file command provides such checks using a file named magic that defines the search patterns. This file can be used as starting point for your checks.

Some image file definitions:
0       string          \x89PNG\x0d\x0a\x1a\x0a         PNG image data
0       string          GIF8            GIF image data
0       beshort         0xffd8          JPEG image data
0       string          MM\x00\x2a      TIFF image data, big-endian
0       string          II\x2a\x00      TIFF image data, little-endian

The format is quite simple:
The first value is the offset, the second the data type, and the third the data (with strings using C style where \xNN indicates a hex byte and \NNN an octal byte).

Howerver, these checks might still fail.
 
Share this answer
 
Posted
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
Refused to execute script MIME type checking is enabled?
How to check mime type/ internal mime type
Provide Mime type of a file while downloading.
How to find real file mime type (in c#) after changing extention (especially for Excel 2007)?
Google Apis V2 html mime/type
How to identify file/MIME type using Binary data
"No Video with Support Format and MIME type Found"
How to check the file type using javascript.
How do i find mime type from codecs ?
Why can I execute a script from a different site and not scripts stored in my own site? MIME TYPE (text/HTML) is not executable

Advertise
Privacy
Cookies
Terms of Use
Last Updated 18 Jan 2017
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web03 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900