11

I would like to determine real file extension for security reason.

How can I do that?

Chan Pye
  • 1,391
  • 7
  • 18
  • 32
  • 6
    What do you mean "real"? Are you looking for the true content type of the file? – Mark Elliot Jan 19 '10 at 04:16
  • If you mean "real extension" based on the file contents then Magic numbers are a good place to start. – cx0der Jan 19 '10 at 04:21
  • 1
    I think he is talking about the real file type. That means if you rename an EXE as a jpg he needs to detect it as an exe. Yes. Magic numbers are one of the possible ways. – Chathuranga Chandrasekara Jan 19 '10 at 04:24
  • For file extension, as in the bit at the end of the file name, you need to be very careful trusting input from untrusted sources (who'd have guessed). In particular trick such as inserting NUL character may circumvent your check. – Tom Hawtin - tackline Jan 19 '10 at 04:31

3 Answers3

21

Supposing you really mean to get the true content type of a file (ie it's MIME type) you should refer to this excellent answer.

You can get the true content type of a file in Java using the following code:

File file = new File("filename.asgdsag");
InputStream is = new BufferedInputStream(new FileInputStream(file));
String mimeType = URLConnection.guessContentTypeFromStream(is);
Community
  • 1
  • 1
Mark Elliot
  • 75,278
  • 22
  • 140
  • 160
  • Also re-directed SO users with similar questions to that answer :) It's quite strange that `URLConnection.guessContentTypeFromStream` method is not well-known - a lot of resources advise to use third-party libraries, when the answer is right there in `JDK`. – Yuriy Nakonechnyy Nov 09 '12 at 11:22
0

There are a number of ways that you can do this, some more complicated (and more reliable) than others. The page I linked to discusses quite a few of these approaches.

Kaleb Brasee
  • 51,193
  • 8
  • 108
  • 113
-1

Not sure exactly what you mean, but however you do this it is only going to work for the specific set of file formats which are known to you

you could exclude executables (are you talking windows here?) - there's some file header information here http://support.microsoft.com/kb/65122 - you could scan and block files which look like they have an exe header - is this getting close to what you mean when you say 'real file extension'?

hgh
  • 71
  • 8