What is the safest and most convenient option to validate file paths of uploaded files for my webform?

Question

I currently have a ValidationExpression on the client-side which (somewhat) restricts the user from uploading anything other than (.txt) files.

^(([a-zA-Z]:)|(\\{2}\w+)\$?)(\\(\w[\w].*))(.txt)$

I was wondering, since this validator restricts some special characters, will I run into trouble if one of my users has the file he wishes to upload inside a folder which has a special character in its name?

Im wondering if there is a better ValidationExpression I can use on the client side to prevent any inconveniences to my users. I am in the process of setting the server-side validation, but I'd still like to have a good client-side validator as well that would allow special characters that are not too risky.

Anyone have a good solution for me?

Can you give some examples of valid and invalid input, specifically input that you think might cause a problem? — CAustin, Aug 15 '17 at 23:33
Well I'm worried about scripts being passed somehow or having any compatibility problems with special characters being used, I was thinking maybe someone could rename a folder — justinpees, Aug 15 '17 at 23:35
Why not use something like ``? Yes a user can always select `all files`, but you're gonna have to do server side validation anyways so why make it difficult for yourself. And even a script can be bypassed easily. — VDWWD, Aug 15 '17 at 23:35
@VDWWD I do currently use accept=".txt" onto of the validator. Are there no risks with accepting all characters when accepting uploaded files? — justinpees, Aug 15 '17 at 23:37
Characters and the file being uploaded have nothing to do with each other. You check, rename and store the file in your own path server side. — VDWWD, Aug 15 '17 at 23:38
@VDWWD Thank you for clearing this up for me. I'm actually having issues setting up my server-side validator for this. My question can be found here if you want to help me out with this: https://stackoverflow.com/questions/45702642/how-to-set-server-side-custom-validator-to-only-accept-txt-file-uploads Also make this an answer, so I can credit you. — justinpees, Aug 15 '17 at 23:40
You don't even need server side asp:Validators with regex. Just read the uploaded file as a byte array, check if it is a txt with `Path.GetExtension(FileUpload1.FileName)` and save it with a file name of your own. — VDWWD, Aug 15 '17 at 23:46
@VDWWD Can you guide me through how to do this please? I'm pretty new at this all together. — justinpees, Aug 15 '17 at 23:49
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/151997/discussion-between-justinpees-and-vdwwd). — justinpees, Aug 16 '17 at 02:07

VDWWD · Accepted Answer · 2017-08-16T01:24:28.397

A quick and simple method of uploading a txt file.

<asp:FileUpload ID="FileUpload1" runat="server" accept=".txt" />
<br />
<asp:Button ID="Button1" runat="server" Text="Upload" OnClick="Button1_Click" />
<br />
<asp:Label ID="Label1" runat="server" Text="" ForeColor="Red"></asp:Label>

And then the code behind

protected void Button1_Click(object sender, EventArgs e)
{
    //check if the upload contains a file
    if (FileUpload1.HasFile == false)
    {
        Label1.Text = "No file uploaded.";
        return;
    }

    //check the file extension
    string extension = Path.GetExtension(FileUpload1.FileName);
    if (extension.ToLower() != ".txt")
    {
        Label1.Text = "Not a text file.";
        return;
    }

    //read the content of the text file
    string content = ""; ;
    using (StreamReader sr = new StreamReader(FileUpload1.PostedFile.InputStream))
    {
        content = sr.ReadToEnd();
    }

    //if there is no txt content
    if (string.IsNullOrEmpty(content))
    {
        Label1.Text = "No contents in text file.";
        return;
    }

    Label1.Text = content;

    //save the file
    File.WriteAllText(Server.MapPath("myTextFile.txt"), content);
}

A user could theoretically upload a binary file with a .txt extension. That would result in a lot of unprintable characters in Label1. There are ways you could check even for that. See the following links.

C# - Check if File is Text Based

How can I determine if a file is binary or text in c#?

Where do I insert the code behind? Do I make a new file in my bin folder? And what is the extension of that file that I make? — justinpees, Aug 16 '17 at 00:19
Updated my answer. And code behind is the `.cs` file that belongs to an aspx page. Code can be inline but is usually not done. — VDWWD, Aug 16 '17 at 01:25
So i just paste your code into a new file and rename it "test.cs" and place it in my bin folder? — justinpees, Aug 16 '17 at 01:29
I made a file called: Button1_Click.cs but then my webform returned an error. When I removed the OnClick="Button1_Click" Im able to view my site again but the function doesn't work. Am I missing something? Do I need to edit your code at all or should it have worked as is? — justinpees, Aug 16 '17 at 01:51

What is the safest and most convenient option to validate file paths of uploaded files for my webform?

1 Answers1