4

I want to let users upload images and videos to my website. Normally I check the image extension for jpg or png extension. But I tested the security of my web by upload a shell to hack it, so I changed the shell's extension to .jpg.

Sadly it had been uploaded to the host's folder normally and shows all my files, so if any one know the best way to make sure this file is a video or this file is a real image before uploading it to the host in C# Asp.net web forms.

Gauravsa
  • 6,330
  • 2
  • 21
  • 30
Ahmed
  • 41
  • 1
  • 4
  • So you want to allow users to upload jpg or png files to your web site, but not allow users to upload spoofed or indirectly typed or formatted files. My guess is that your best bet would be to get an image parser whose code you trust to try to load the file and see if it succeeds. If you are paranoid, dispatch the check to a secondary process with locked down permissions. – Flydog57 Nov 04 '18 at 23:56
  • Have a look at https://stackoverflow.com/questions/58510/using-net-how-can-you-find-the-mime-type-of-a-file-based-on-the-file-signature/1685614 for actual answers. Also the comment from @Flydog57 is a viable approach, if it can be parsed as an image, it is an image. – Gabor Lengyel Nov 05 '18 at 09:14
  • Does this answer your question? [Using .NET, how can you find the mime type of a file based on the file signature not the extension](https://stackoverflow.com/questions/58510/using-net-how-can-you-find-the-mime-type-of-a-file-based-on-the-file-signature) – Mahmood Dehghan Apr 22 '21 at 11:02

3 Answers3

1

I would like to share the simplest way to get the filetype/ content type before uploading a file.

            string file_type;
            var provider = new FileExtensionContentTypeProvider();
            if(!provider.TryGetContentType(finlename, out file_type))
            {
                file_type = "application/octet-stream";
            }
namal wijekoon
  • 91
  • 4
0

You can check the content type of the file. The following code might help:

public static readonly string[] mimeTypes = new[] { "image/jpeg", "image/png" };

if (mimeTypes.Contains(fileBox.PostedFile.ContentType))
{ // Do something.    
}

Also, I would suggest client side validation. This will help check the content type before posting to the server. This will also help with saving bandwidth.

Following link should help you:

How to check file MIME type with javascript before upload?

Not only file extension, but checking mime type for "image/jpeg, image/png, image/gif' is the way to go.

Gauravsa
  • 6,330
  • 2
  • 21
  • 30
  • 1
    Note that this doesn't check anything that cannot be set by the client, and therefore has zero security value. – Gabor Lengyel Nov 05 '18 at 03:04
  • yes if the user has changed his hacker file 's extension to jpeg it will hack my server easily , this way looks only for the extension and it is easy for him to change his file's extension – Ahmed Nov 05 '18 at 20:39
0

You can validate the extension of a file. Using this code.

   protected void ValidateFile(IFormFile file)
    {
        if (file == null)
            throw new Filters.ApiException(this.Localizer[string.Format(ErrorConst.SelectFile)].Value, 400);
        if (file.Length < 1)
            throw new Filters.ApiException(this.Localizer[string.Format(ErrorConst.ErrorImageSize)].Value, 400);

        int filesize = 3;
        string[] supportedTypes = new[] { "jpg", "jpeg", "png", "bmp" };
        var fileExt = System.IO.Path.GetExtension(file.FileName).Substring(1);
        if (!supportedTypes.Contains(fileExt))
            throw new Filters.ApiException(this.Localizer[ErrorConst.ErrorImageExtension].Value, 400);
        if (file.Length > (filesize * 1024 * 1024))
            throw new Filters.ApiException(this.Localizer[string.Format(ErrorConst.ErrorImageSize, filesize)].Value, 400);
    }

And this is validated file and file size.

Thanks.

Akash Limbani
  • 1,283
  • 4
  • 14
  • 34
  • 2
    Note that this doesn't check anything that cannot be set by the user, and therefore has very little security value. (The little value comes from the fact that something malicious that is not a jpg may just not work with a jpg extension, but that's not at all certain in general, especially on Windows.) – Gabor Lengyel Nov 05 '18 at 09:12
  • 2
    Of course. It's just not secure. :) An attacker can upload any type of file, if the filename ends with one of the listed extensions. That's not what the original question was about, and it provides no security value, because the file extension is set by the client. – Gabor Lengyel Nov 05 '18 at 10:41
  • exactly Gabor , that is what i'm talking about . i need the security thing , Any one can change his file's extension to jpeg and hacking the web ! – Ahmed Nov 05 '18 at 20:46
  • As asked on the question, this answer doesnot work. – Suraj Shrestha Jul 02 '20 at 11:10