1

i've been Googling on how to get the ContentType of a file to be uploaded but to no avail. I need to get this done using Classic ASP. What i always see from Google is 

response.ContentType = something

My main objective is to validate an image before uploading it. Only valid images are .jpg, .gif and .png. Thus, the valid ContentTypes are "image/jpeg", "image/gif" and "image/png".

I do not want to just rely in the file extension as a hacker can simply change the extension say .exe to .jpg.

Please help, thank you!

ADDED: I am simply using this html control: 

<input type="file" name="inputfile" />
Liz
  • 323
  • 7
  • 17
  • Can you describe exactly what your attempting? For a file upload the expectation is for the request content type to always be `multipart/form-data`. You should never rely on content-type as its easy to forge. – Alex K. Feb 04 '14 at 14:28
  • Content type should only be one of these: "image/jpeg", "image/gif" and "image/png". Or do you know other way to validate images before uploading? – Liz Feb 04 '14 at 14:32
  • What content type? the request content type from a file upload via an html form? – Alex K. Feb 04 '14 at 14:34
  • Then content type should be `multipart/form-data`. To check the validity of the file you need to do it on the server after upload E.g.; http://stackoverflow.com/questions/15874740/pure-asp-upload-with-image-detection – Alex K. Feb 04 '14 at 15:08

1 Answers1

1

Browsers may upload a filetype in the Content-Type header of the multipart/form-data subpart for the field.

Classic ASP does not natively support file uploads - what are you using to receive them? There are many libraries/controls that implement this and any mechanism to retrieve that subpart header will be dependent on what that code is.

Howewver, the point is largely moot because:

(a) the file upload Content-Type header is massively unreliable. Browsers can and will send wrong values at a whim, and there's typically little a user can do to correct the issue. (For example on Windows the applications that are installed can easily hijack MIME type associations away from the defaults, and even on a clean install IE will typically send the wrong type for JPEGs.)

(b) an attacker can spoof a Content-Type just as easily as they can spoof a file extension.

There is rarely a good reason to pay attention to the submitted Content-Type. At best you can use it as a convenience default value for something the user can manually override.

What is your purpose in checking the type of a file?

  • if you are trying to prevent injection onto the filesystem of directly executable files (eg xxx.asp), the right thing to check is the file extension, and generally place very strong restrictions on what can be in the filename at all (because typically servers decide what files to execute server-side based on name and location). This is actually quite hard to get 100% right, so it is generally best not to use user input as a basis for local filenames at all (instead use a generated filename like 123.jpeg for an object stored in the database as primary key 123).

  • if you are trying to prevent uploading broken images or unsupported image formats, you should check the content of the file to see if it's a valid image, using an image loading library.

  • if you are trying to prevent people uploading HTML or plugin content to do cross-site-scripting attacks, there is very little you can do about that by checking the file, its name, or its conetnt. It's possible to create ‘chameleon’ files are valid images whilst at the same time also containing content that a browser might interpret as script under some circumstances. If you have to allow general file uploads from untrusted users then the best thing to do is serve them off a different domain, so that cross-site-scripting into it doesn't give up anything valuable.

bobince
  • 528,062
  • 107
  • 651
  • 834