Click here to Skip to main content
13,045,790 members (47,028 online)
Rate this:
Please Sign up or sign in to vote.
See more:
I have a uploader in aspx page
i have done validations for valid files such as .gif,.jpg, etc.....

but if i changes the extension of a file for example if someone wants to upload exe files and changes its extension to .gif then the file uploader uploads it...
how can i prevent these sorts of attacks by using file uploader ???
Posted 26-Jun-13 2:49am
Rate this: bad
Please Sign up or sign in to vote.

Solution 1

You are perfectly right. You can't belie in what is sent from client side. You have to check for yourself. What you need is detecting the mime type by the file content. There is a concept called "magic bytes" that is used under linux for example. Under windows I haven't found anything better than urlmon.dll (part of Internet Explorer), that you can call via p/invoke[^]. Although the list of known types[^] is not that long, it can be enough in your case.

This could be also interesting:[^]
Rate this: bad
Please Sign up or sign in to vote.

Solution 2

One way of Doing :
const int ERROR_BAD_EXE_FORMAT = 193;
                ProcessStartInfo psi = new ProcessStartInfo();
                psi.UseShellExecute = false;
                //psi.FileName = @"C:\\Region.xml";
                psi.FileName = @"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe";
            catch (Win32Exception ex)
                if (ex.NativeErrorCode == ERROR_BAD_EXE_FORMAT)
                    // The exception message would be
                    // "The specified executable is not a valid application for this OS platform."
                    Console.WriteLine("Not a valid executable.");
Zoltán Zörgő 26-Jun-13 9:05am
Worst idea I ever heard! You really think it is wise to start an executable just to check if it is executable or not? Especially when trying to avoid attacks... Man, you opened a biiiiig portal in OP's application.
praks_1 27-Jun-13 1:05am
I said this is one way and not the best what u have suggested MimeDetector????? what so great it is!!!!!!!!!!!!!!!
Zoltán Zörgő 27-Jun-13 14:27pm
But this one is no option at all. It would be a built-in security hole, nothing more.
But the idea could be used in the opposite direction: since the OP wants to check if the uploaded file is an image; thus one can try to create an image object from the file. If the that succeeds, it can be treated as image. Might not be the best, but could work.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise | Privacy | Mobile
Web02 | 2.8.170713.1 | Last Updated 26 Jun 2013
Copyright © CodeProject, 1999-2017
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100