1

I've got a simple form:

@using (Html.BeginForm(null, null, FormMethod.Post, new { enctype="multipart/form-data" }))
{
    <input type="file" name="image" />
    <br />
    <input type="submit" value="Upload" />
}

which I'm posting to:

[HttpPost]
public ActionResult Upload(HttpPostedFileBase file)
{
    if (file.ContentLength > 0)
    {
        // All necessary validation logic here
    }

    return RedirectToAction("Index");
}

I'm trying to restrict uploaded files to jpeg, png and gif formats. I wan't to be able to restrict minimum and maximum width and height of the uploaded image as well as image filesize.

I guess I can check the size by simply changing if statement to:

if (file.ContentLength > 0 && file.ContentLength < maxUploadSize)

I know how to check the extension of the uploaded file but I would prefer to check its mime-type/header as well.

Question:

Given the example code above, how do I properly validate the uploaded file? I want to make sure that the file is:

  • a JPEG, GIF or a PNG file (checking file extension and file header)
  • not bigger than maximum upload size (file size)
  • of dimensions within predefined limit (width/height)
LukeP
  • 10,422
  • 6
  • 29
  • 48
  • possible duplicate of [How to validate uploaded file in ASP.NET MVC?](http://stackoverflow.com/questions/6388812/how-to-validate-uploaded-file-in-asp-net-mvc) – Darin Dimitrov May 21 '12 at 06:33

1 Answers1

1

as you said, you should just validate image type by its file extension. since request header can be faked, it's not reliable.

for maximum upload size, you need to update your web.config or machine.config depending on your needs - app level or machine level.

for IIS6:

<location path="upload">
  <system.web>
    <httpRuntime maxRequestLength="xxx" />
  </system.web>
</location>

for IIS7: http://support.microsoft.com/kb/942074/

as for validating dimensions, you have to read in the image and check for its width and height properties and this is the constructor bitmap class to do that in-memory. if you want to save the image to file first, then use this one.

fine print: increasing this value may make you become a Denial of Service (DOS) attack victim as described here.

security measures:

  • one work around i can think of at this moment is setup another server/machine to handle file upload so your main web server is not taking the hit.
  • use <location path="my-upload-path"> to apply this setting to a single location.
  • consider using HttpHandler or HttpModule to handle upload.

i'll update my answer once i have a better solution than that.

Community
  • 1
  • 1
Ray Cheng
  • 12,230
  • 14
  • 74
  • 137
  • 2
    I would not use maxRequestLength to limit the size of file uploads. Bad idea. Big side effects, and unfriendly errors. Also, file extensions can be altered more easily than request headers. – Andrew Barber May 21 '12 at 00:50
  • Not to mention that doesn't increase the limit on IIS7+ – LukeP May 21 '12 at 10:57
  • @Andrew Barber, now i know the side effects (DOS or network brandwidth or others), so is there a better way to do it? – Ray Cheng May 21 '12 at 16:20