3

as i am trying to upload a File, and i am trying to check for their extension, as i know it is not a good practice, so this is the code which i am doing this. it works fine, but as i am facing issue in Apple Mac Users, they are not unable to upload pdf files. 

   if (upload1.HasFile)
      {
       Finfo = new FileInfo(upload1.PostedFile.FileName);
       if (Finfo.Extension.ToLower() == ".docx" || Finfo.Extension.ToLower() == ".doc" || Finfo.Extension.ToLower() == ".xls" ||
                            Finfo.Extension.ToLower() == ".xlsx" || Finfo.Extension.ToLower() == ".pdf" || Finfo.Extension.ToLower() == ".jpg" ||
                            Finfo.Extension.ToLower() == ".png" || Finfo.Extension.ToLower() == ".gif" || Finfo.Extension.ToLower() == ".txt" ||
                            Finfo.Extension.ToLower() == ".mp4" || Finfo.Extension.ToLower() == "ppt" || Finfo.Extension.ToLower() == ".bmp" ||
                            Finfo.Extension.ToLower() == ".swf" || Finfo.Extension.ToLower() == ".rm" || Finfo.Extension.ToLower() == ".pptx")
        {
           // Accept File 
        }
}

now what i thought i will use this code, so that it will solve the problem 

if (
        upload1.PostedFile.ContentType == "text/rtf" ||
        upload1.PostedFile.ContentType == "application/doc" ||
        upload1.PostedFile.ContentType == "appl/text" ||
        upload1.PostedFile.ContentType == "application/vnd.msword" ||
        upload1.PostedFile.ContentType == "application/vnd.ms-word" ||
        upload1.PostedFile.ContentType == "application/winword" ||
        upload1.PostedFile.ContentType == "application/word" ||
        upload1.PostedFile.ContentType == "application/msword" ||       
        upload1.PostedFile.ContentType == "application/x-msw6" ||
        upload1.PostedFile.ContentType == "application/x-msword" ||
        upload1.PostedFile.ContentType == "application/pdf" ||
                        FileUpload1.PostedFile.ContentType == "application/x-pdf" ||
        upload1.PostedFile.ContentType == "application/vnd.openxmlformats-officedocument.wordprocessingml.document" ||
        upload1.PostedFile.ContentType == "application/vnd.openxmlformats-officedocument.wordprocessingml.template"
        )

is it good way to Accept Files from users. I need to allow All Files Except EXE,DMG, DLL,CS, SQL, BAT, . how do i ensure that it will work on all operating systems.

  • Apple user may use OpenOffice, or some other softwares to upload. so we need to allow this type of file also

can anybody tell me how to handle this situations

Ravi Gadag
  • 15,735
  • 5
  • 57
  • 83

8 Answers8

2

Content type is basically determined by the client, but mostly client may not send content type, in that case checking extension is only best way to verify type of file. Or you should check both. We did face problem with some mac clients that did not send content type.

In case of absence of both, you will have to check few initial bytes of file to check its type.

Content type is bad idea because if user does not have corresponding software installed, os will send wrong content type.

Akash Kava
  • 39,066
  • 20
  • 121
  • 167
1

When they upload the file do they need to be available immediately? What I have done in the past is to place them in a pending folder on the server, then at a given interval (although it could be a called function following upload) I run a small process that read the first few bytes of data. Most of these file types have a header record, often in plain text, PDF for example has "%PDF" as the first 4 characters. Executables often start with the charcaters "MZ". Have a look in a hex editor (TextPad will work for example). This is of course you final port of call, your safety net, first steps is to limit by suffix as you are doing (although this is no real guarantee of file contents). You can also use MIME types to block certain types Mime Type List which will help too. see here for example: http://forums.asp.net/p/1554764/3829242.aspx

Edit: Note that some of those files you wish to omit are just text files: .bat and .cs for example. So, MIME Types or reading the start of the data will not help - so best way is to either ban these extensions altogether or rename the extensions to .txt when saving on the server. They can do not harm as text files with .txt extension as they will; not be executable - you will also need to consider .reg is guess too.

Wolf5370
  • 1,374
  • 11
  • 12
0

" I need to allow All Files Except EXE,DMG, DLL,CS, SQL, BAT, . how do i ensure that it will work on all operating systems. "

I would use the file extension as the first line of defense,then content type, then file signature. Try using a nested if statement three levels deep to insure the file passes all the way through.

For this code: 

if (Finfo.Extension.ToLower() == ".docx" || Finfo.Extension.ToLower() == ".doc" || Finfo.Extension.ToLower() == ".xls" ||.....

Why not just do reverse logic on the file extensions that are prohibited?

if (Finfo.Extension.ToLower() != ".exe" && !Finfo.Extension.ToLower() != ".dmg" && !Finfo.Extension.ToLower() != ".dll" &&.......etc

That will save you some code, especially if the acceptance list is not finite and or small. Think about the guy who may have to make changes to your code later....maybe you :*)

Taruchu
  • 1
  • For example, lets say a few years later one of the accepted file types becomes unacceptable. The programmer will either have to sift through all of the accepted "OR" cases to find the one that needs to be removed, or they can just tack on another "&&" case using reverse logic. I have personally had to search through thousands of lines of code in order to make fixes like this, trust me. – Taruchu Nov 26 '13 at 22:19
0

The best way to do that is using the FileOpenDialog component to let the user choose a file neatly, while adding filters to the component (eg. "*.swf|swf files").

SimpleVar
  • 14,044
  • 4
  • 38
  • 60
0

You need to maintain a black list of content type as you know what types needs to be blocked rather than the types which needs to be allowed even though later is a much secure practice.

I would recommend you to run through some antivirus webservice or scan before acepting the files something like http://www.opswat.com/products/metascan

Ramesh
  • 13,043
  • 3
  • 52
  • 88
0

i Used File Extension and Even the COntent type validation. along with we restricted user not to upload other than office documents, Even we are tried Telerik Upload controls to achieve the functionalty . once again thank you for all who gave answers .

Ravi Gadag
  • 15,735
  • 5
  • 57
  • 83
0

Have you checked this answer Using .NET, how can you find the mime type of a file based on the file signature not the extension ?

Getting the mime type from the file is possible by server side and black list the ones you don't want.

Also using a reg expression to filter the file type in Open file dialog is somewhat unreliable since any user can type for example . in the file name field and upload any file type.

Community
  • 1
  • 1
Carlos Ferreira
  • 432
  • 5
  • 15
-4

You should absolutely not accept all file types - this is a huge security hole.

I suspect your problem may be user error. Can you verify that the 'mac' user does not have the file open while he is trying to upload? There is no reason that an upload from mac should behave differently than from pc.

We have a similar requirement and use both data type and file name extension to determine what is being uploaded. We have no problems from mac, pc, linux or otherwise.

user229044
  • 232,980
  • 40
  • 330
  • 338
mson
  • 7,762
  • 6
  • 40
  • 70