ansaurus

Question

Answer 1

A:

you should use regular expression to validate that is an image or not, might be the better option

some thing like:

 public static bool IsValidImage(this string fileName)
    {           
        Regex regex = new Regex(@"(.*?)\.(jpg|JPG|jpeg|JPEG|png|PNG|gif|GIF|bmp|BMP)$");
        return regex.IsMatch(fileName);
    }

Then you check:

if (fupFirmLogo.FileName.IsValidImage())
{
    //Do your code
}
else
 {
    //Not a valid image
  }

anishmarokey 2010-05-28 12:12:59

Can't a user can delibrately change the extension of the file i.e from .exe to .jpeg. I think, this method will allow it.

vaibhav 2010-05-28 12:17:50

i think no. How can you change the an .exe to a .jpg ?

anishmarokey 2010-05-28 12:44:08

Agreed that this might have a vulnerability. I like the regex idea though. Would including regex on fupFirmLogo.PostedFile.ContentType to check for "^image/.+$" iron out any vulnerability?

Eddie 2010-05-28 12:57:41

@anishmarokey - Right click, change .exe to .jpg. The file contents are the same, it just appears to be an image now. You aren't really converting an exe to a jpg.

Tommy 2010-05-28 13:20:17

Answer 2

+1 A:

You could define an array of known image types:

public static readonly string[] _imageMimeTypes = new[] { "image/jpeg", "image/png" };

and then test whether the posted content type is in this array:

if (_imageMimeTypes.Contains(fupFirmLogo.PostedFile.ContentType))
{
    // ...
}

Darin Dimitrov 2010-05-28 12:14:43

Darin, I think combining your idea with anishMarokey's is the best way to go. Check the MIME types, but do so from a common class so that it is reusable. This is the method that we use on our file upload controls.

Tommy 2010-05-28 13:21:28

Answer 3

A:

I hope this will help you out. Try below code.

    Image uploadedImage = null;  
    if (ImageUpload.HasFile && ImageUpload.FileName != string.Empty && ImageUpload.FileContent.Length > 0)  
    {  
        try  
        {  
            uploadedImage = Image.FromStream(ImageUpload.PostedFile.InputStream);  
        }  
        catch (Exception ex)  
        {  
            lblUploadStatus.Text = "Selected file is not an image.<br />" + ex.Message;  
       }  

       if (uploadedImage != null)  
       {  
           string savePath = string.Format("{0}/{1}", Server.MapPath("~/images/orig/upload_temp"), ImageUpload.FileName);  
           uploadedImage.Save(savePath, ImageFormat.Jpeg);  
       }  
   }

GS_Guy 2010-05-28 12:32:50

Answer 4

A:

The only problem with the solutions above is that the file will have to be uploaded to the server before you can check their file types.

If you put some Javascript in the onSubmit call, you can read the filename and test there, returning false if its not a valid file name.

This will be much more friendly on your bandwidth.

<form method="post" enctype="multipart/form-data" onsubmit="return submit(this)">
  <input id="inputControl" name="file" type="file" />
</form>

Then

function submit(form) {
  var fileName = $('#inputControl').val().replace(/.*(\/|\\)/, '');
  // check the filename here, return false if its not an image.
}

Russ C 2010-05-28 12:48:35

@Russ - you still have the I renamed a .exe to .jpg issue here. This will probably catch 99% of things out there, but you still need server side validation. Also, what about those that turn off JS?

Tommy 2010-05-28 13:22:31

Then it'll still post the file - the main thing is though the majority of cases this will reduce the bandwidth overheads. I'd still to the Image.FromStream solution above but starting this way can cut out a lot of potential problems for little effort.

Russ C 2010-05-28 13:37:43

ansaurus

tags:

views:

answers:

File Upload in asp.net

related questions