ASP.NET MVC - Check if the file being uploaded is an .EXE or PDF file

Question

With that code in mind, how could i can check if the file that the user wants to upload, has a .EXE file or a .PDF, for example

  [HttpPost]
    public JsonResult SaveInfo()
    {
        try
        {
            var model = JsonConvert.DeserializeObject<ApontamentoViewModel>(Request.Form["model"]);
            if (!string.IsNullOrWhiteSpace(model.filePath))
            {
                //convert to list
                var listArquivos = model.CaminhoArquivo.Split(';').Distinct().ToList();

                //for each file in the list, move from temporary folder to final folder
                model.filePath= string.Join(";", listArquivos);


                string caminhoRaiz = Server.MapPath(System.Configuration.ConfigurationManager.AppSettings.Get("FinalUploadFolder"));
                _CaminhoRaizTempUpload = Server.MapPath(System.Configuration.ConfigurationManager.AppSettings.Get("TempUploadFolder"));

                var files = Directory.EnumerateFiles(_CaminhoRaizTempUpload, "*.*", SearchOption.AllDirectories)
                                 .Where(s => listArquivos.Any(arquivo => s.Contains(arquivo)))
                                 .ToList();


                files.ForEach(arquivoMover =>
                {
                    var nomeArquivo = System.IO.Path.GetFileName(arquivoMover);
                    System.IO.File.Move(arquivoMover, System.IO.Path.Combine(caminhoRaiz, nomeArquivo));

                });

            }

Possible duplicate of [Using .NET, how can you find the mime type of a file based on the file signature not the extension](https://stackoverflow.com/questions/58510/using-net-how-can-you-find-the-mime-type-of-a-file-based-on-the-file-signature) — Mustafa Gursel, Jun 25 '19 at 17:48

score 0 · Answer 1 · edited Jun 25 '19 at 21:16

0

You can use

System.IO.Path.GetExtension(FileName);

for extracting the file extension, and use it like below:

files.ForEach(arquivoMover =>
            {
                var nomeArquivo = System.IO.Path.GetFileName(arquivoMover);
                var fileExt = System.IO.Path.GetExtension(arquivoMover);
                if(fileExt==".EXE")
                { 
                    //is a .EXE file 
                }
                System.IO.File.Move(arquivoMover, System.IO.Path.Combine(caminhoRaiz, nomeArquivo));

            });

Additionally, you can use traditional string functions to get a the last 4 chars from the filename:

string fileExt = nomeArquivo.Substring((nomeArquivo.Length - 4), 4);

fileExt = fileExt.ToLower();
if(fileExt == ".exe")
  do_things_for_exe();
else if(fileExt == ".pdf")
  do_things_for_pdf();
else:
  throw new Exception("file format unrecognized");

edited Jun 25 '19 at 21:16

Kamil

782
1
9
24

answered Jun 25 '19 at 17:55

jme

16
4

3

As an attacker can change the extension of a malicious file (and include malicious code in an acceptable file type), matching the extension to a white list is not enough. Checking the MIME type will check if the file actually is of the type it claims to be. – quiqs Jun 28 '19 at 00:32
1

You are right, checking file extension is not enough. Checking the MIME type is already answered in [this](https://stackoverflow.com/questions/58510/using-net-how-can-you-find-the-mime-type-of-a-file-based-on-the-file-signature) question. – jme Jun 28 '19 at 15:10

ASP.NET MVC - Check if the file being uploaded is an .EXE or PDF file

1 Answers1