193

In my web application (asp.net,c#) I am uploading video file in a page but I want to upload only flv videos. How can I restrict when I upload other extension videos?

shA.t
  • 16,580
  • 5
  • 54
  • 111
Surya sasidhar
  • 29,607
  • 57
  • 139
  • 219

14 Answers14

368

Path.GetExtension

string myFilePath = @"C:\MyFile.txt";
string ext = Path.GetExtension(myFilePath);
// ext would be ".txt"
James
  • 80,725
  • 18
  • 167
  • 237
  • 11
    This allows someone to just rename any file *.flv and upload it. Depending on what your requirements are, you might want to check the MIME type as well. – David Glenn Dec 11 '09 at 09:44
  • Does not the MIME type usually get set according to the file name extension? – Thilo Dec 11 '09 at 09:49
  • @Thilo, you're right, but the extension can be changed without changing the mime content type. The mime type describes the data contained in the file, so it can be handled appropriately see http://en.wikipedia.org/wiki/MIME – Mark Dickinson Dec 11 '09 at 11:25
  • 2
    No, the better way is to check file content. It is necessary to check flv signature. – Marat Faskhiev Dec 11 '09 at 11:38
  • 2
    Just to add to this since it’s still a popular answer - the MIME type argument is just as insecure as the extension as both can be spoofed. A combination of both checks is probably a *reasonable* solution but ultimately if security is a concern then there should be more rigourous checks e.g. blocking unsigned files or content sampling. – James Feb 28 '18 at 18:41
  • This does not all the time behave well in Windows 7. – hubert17 Jul 22 '21 at 16:14
  • @hubert17 interesting, in what way? Also which version of .NET? – James Aug 18 '21 at 16:25
31

You may simply read the stream of a file 

using (var target = new MemoryStream())
{
    postedFile.InputStream.CopyTo(target);
    var array = target.ToArray();
}

First 5/6 indexes will tell you the file type. In case of FLV its 70, 76, 86, 1, 5.

private static readonly byte[] FLV = { 70, 76, 86, 1, 5};

bool isAllowed = array.Take(5).SequenceEqual(FLV);

if isAllowed equals true then its FLV.

OR

Read the content of a file

var contentArray = target.GetBuffer();
var content = Encoding.ASCII.GetString(contentArray);

First two/three letters will tell you the file type.
In case of FLV its "FLV......"

content.StartsWith("FLV")
SomePerson
  • 581
  • 1
  • 6
  • 18
Mukul Yadav
  • 311
  • 3
  • 2
  • 3
    This should be rated higher. If you really want your application to work and the data is untrusted, you should check the beginning. – PRMan Apr 24 '17 at 21:14
7

At the server you can check the MIME type, lookup flv mime type here or on google.

You should be checking that the mime type is

video/x-flv

If you were using a FileUpload in C# for instance, you could do

FileUpload.PostedFile.ContentType == "video/x-flv"
Mark Dickinson
  • 6,573
  • 4
  • 29
  • 41
6

In addition, if you have a FileInfo fi, you can simply do:

string ext = fi.Extension;

and it'll hold the extension of the file (note: it will include the ., so a result of the above could be: .jpg .txt, and so on....

Noctis
  • 11,507
  • 3
  • 43
  • 82
6
string FileExtn = System.IO.Path.GetExtension(fpdDocument.PostedFile.FileName);

The above method works fine with the Firefox and IE: I am able to view all types of files like zip,txt,xls,xlsx,doc,docx,jpg,png.

But when I try to find the extension of file from Google Chrome, I fail.

MAXE
  • 4,978
  • 2
  • 45
  • 61
Papun Sahoo
  • 407
  • 5
  • 13
  • 2
    What's the relation between Firefox, IE, Chrome and C#? The OP is talking about server-side code, nothing about the browser or any type of client code... – MAXE Oct 28 '21 at 13:40
5

I'm not sure if this is what you want but:

Directory.GetFiles(@"c:\mydir", "*.flv");

Or:

Path.GetExtension(@"c:\test.flv")
Carra
  • 17,808
  • 7
  • 62
  • 75
4

EndsWith()

Found an alternate solution over at DotNetPerls that I liked better because it doesn't require you to specify a path. Here's an example where I populated an array with the help of a custom method 

        // This custom method takes a path 
        // and adds all files and folder names to the 'files' array
        string[] files = Utilities.FileList("C:\", "");
        // Then for each array item...
        foreach (string f in files)
        {
            // Here is the important line I used to ommit .DLL files:
            if (!f.EndsWith(".dll", StringComparison.Ordinal))
                // then populated a listBox with the array contents
                myListBox.Items.Add(f);
        }
megamaiku
  • 434
  • 4
  • 11
4

It is worth to mention how to remove the extension also in parallel with getting the extension:

var name = Path.GetFileNameWithoutExtension(fileFullName); // Get the name only

var extension = Path.GetExtension(fileFullName); // Get the extension only
Mohammed Noureldin
  • 14,913
  • 17
  • 70
  • 99
2

You will not be able to restrict the file type that the user uploads at the client side[*]. You'll only be able to do this at the server side. If a user uploads an incorrect file you will only be able to recognise that once the file is uploaded uploaded. There is no reliable and safe way to stop a user uploading whatever file format they want.

[*] yes, you can do all kinds of clever stuff to detect the file extension before starting the upload, but don't rely on it. Someone will get around it and upload whatever they like sooner or later.

ZombieSheep
  • 29,603
  • 12
  • 67
  • 114
  • 1
    While he cannot prevent a hacker from uploading what he wants, he should still check on the client side as a convenience to the user. Flash uploaders should be able to check the file type. – Thilo Dec 11 '09 at 09:40
  • 1
    The OP didn't mention Flash uploaders (that is 'uploaders written in Flash', rather than 'uploaders of Flash content'). The question is tagged with asp.net and c# tags, and with those technology choices, the client-side checking is limited and easily defeated. :) – ZombieSheep Dec 11 '09 at 09:44
  • For a video upload site, he should have something better on the client-side then an HTML upload form. Multi-MB uploads without a progress bar are no fun. – Thilo Dec 11 '09 at 09:50
  • ok you saying that client side check is not that much good how can i check in server side Mr. ZombieSheep – Surya sasidhar Dec 11 '09 at 09:54
  • @Thilo - I couldn't agree more, but the question is about an ASP.net upload form. It's up to the OP whether he thinks that's good enough or not. – ZombieSheep Dec 11 '09 at 09:55
  • @Surya: plenty of answers about server-side checks already on this page. – Thilo Dec 11 '09 at 09:56
  • @Surya sasidhar - This should get you started... -> http://msdn.microsoft.com/en-us/library/aa479405.aspx – ZombieSheep Dec 11 '09 at 09:56
2

You can check .flv signature. You can download specification here:

http://www.adobe.com/devnet/flv/

See "The FLV header" chapter.

Marat Faskhiev
  • 1,282
  • 6
  • 17
  • 37
2
private string GetExtension(string attachment_name)
{
    var index_point = attachment_name.IndexOf(".") + 1;
    return attachment_name.Substring(index_point);
}
Andro
  • 2,232
  • 1
  • 27
  • 40
Aziz Nortozhiev
  • 365
  • 5
  • 8
  • You might want to use LastIndexOf in case of file name such as file.new.png. For example: var index_point = attachment_name.LastIndexOf(".") + 1; – Robert Smith Aug 31 '22 at 14:55
  • Te get the extension without the period: `Path.GetExtension(fileName).TrimStart('.')`. Works also if there is no extension. – arni Jul 10 '23 at 09:42
1

This solution also helps in cases of more than one extension like "Avishay.student.DB"

                FileInfo FileInf = new FileInfo(filePath);
                string strExtention = FileInf.Name.Replace(System.IO.Path.GetFileNameWithoutExtension(FileInf.Name), "");
avishay
  • 11
  • 2
0

Path.GetExtension(file.FileName)) will get you the file name

Im also sharing a test code if someone needs to test and ge the extention or name.

Forming a text file with name test.txt and checking its extention in xUnit.

        [Fact]
        public void WrongFileExtention_returnError()
        {
            //Arrange
            string expectedExtention = ".csv";
            var content = "Country,Quantity\nUnited Kingdom,1";
            var fileName = "test.csv";
            var stream = new MemoryStream();
            var writer = new StreamWriter(stream);
            writer.Write(content);
            writer.Flush();
            stream.Position = 0;

            //Act 
            IFormFile file = new FormFile(stream, 0, stream.Length, "", fileName);
            
            //Assert
            Assert.Equal(expectedExtention, Path.GetExtension(file.FileName));

        }

Return true as the expected and the filename extention is name.

Hope this helps someone :).

gouravm
  • 301
  • 1
  • 12
0

I know this is quite an old question but here's a nice article on getting the file extension as well as a few more values:

Get File Extension in C#

I Hope That Helps :-)!

Tim Kruger
  • 863
  • 2
  • 10
  • 26