views:

19

answers:

2

I have ASP.NET form with an upload control for users to post an image. On the server I load that image (using the Bitmap class) and resize it.

Is there any danger in doing that when users upload malicious or affected files or will the code just throw an exception at some point and stop the whole process?

A: 

I would:

Make sure the uploaded file is definitely an image so that people cannot upload arbitrary stuff - but you probably have that covered with he Bitmap class.

Rename the file once uploaded so someone uploading does not know the filename they have created.

Make sure the upload directory has minimal permissions.

Make sure the contents of the upload directory cannot be viewed in a browser.

Steve Claridge
We do rename the files but they are publicly hosted because we obviously need to show them at some point. Obviously I want to avoid that malicious files make it to the upload folder. We also check for the content type of the HttpPostedFile class.
Koen
+1  A: 

Best hacker can hope for is using Buffer Overflow exploit, then he's writing malicious code to the server memory. However from what I've read, such thing can happen only when using unsafe code, and since Bitmap is totally managed I'm pretty sure it's safe to use it.

However, really clever hacker can trick the Bitmap and create "custom" picture file that will be perfectly valid picture, but will also contain "hitchhiker" code that might cause damage when viewed in browser, using some future exploit. So safest way is to save the Bitmap itself to disk instead of the raw uploaded file, meaning use the bitmap.Save method instead of the SaveAs method of HttpPostedFile. This way any extra code will be omitted, as the Bitmap won't load it and your visitors will be safe.

By the way, you can store the uploaded files outside the website root folder, and create "proxy" file to read it from the folder: this way users won't be able to browse directly to the images, they'll have to use the proxy file. This is useful if you'll add permissions mechanism at some point, e.g. user A should not be able to see what user B uploaded.

Shadow Wizard