|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Restricting Upload File TypesI have a page that users upload files. Is there a way to restrict the file
types that they can upload? thanks, -- Chuck Foster Programmer Analyst Eclipsys Corporation - St. Vincent Health System Chuck,
You can use javascript to check the path entered by the user. Taking asp.net's programming model i would suggest that you use a custom validator and write custom validation script for client side and server side. on your submit button set causuesvalidation to true. in javascript you basically look for the file type and see if it matches one you want. if yes then then set isValid to true else false and flag an error message. have a look at http://aspnet.4guysfromrolla.com/articles/073102-1.aspx http://www.411asp.net/home/tutorial/specific/web/userinte/webcontr/customva HTH Regards, Hermit Dave http://hdave.blogsot.com Show quoteHide quote "chuckdfoster" wrote: > I have a page that users upload files. Is there a way to restrict the file > types that they can upload? > > thanks, > > -- > Chuck Foster > Programmer Analyst > Eclipsys Corporation - St. Vincent Health System > > > There are some challenges to validate the file type.
1. When you use the <input type='file'> tag, you cannot customize it to restrict the file type by extension. 2. When you use the <input type='file'> tag, you also set the <form enctype='multipart/form-data'> This setting never passes the file path back to the server. It only passes the file content. Therefore you cannot validate the file path on the server side. So your code must be limited to client-side javascript to test the field's pattern. 3. There is no guarantee that the browser will run your client-side code. Microsoft's validators are limited to DHTML browsers (IE and IE/Mac) and if the user turns of javascript, even those browsers don't work. 4. A user (in particular, a hacker) can rename an illegal file to have one of your accepted file extensions. You must defend against this. As a result, you have to take a different approach from looking at the file path for a valid extension. You must allow the file to download into a quarantined area of your server, then use some software designed to open the file and check its contents for what you need it to be. (I'm not an expert in file formats so I cannot recommend any particular solutions for this but I'm sure there are third party solutions.) Once you have this in place, you can call it from a CustomValidator on the server side to confirm the file is valid. --- Peter Blum www.PeterBlum.com Email: PLB***@PeterBlum.com Creator of "Professional Validation And More" at http://www.peterblum.com/vam/home.aspx Show quoteHide quote "chuckdfoster" <chuckdfos***@hotmail.com> wrote in message news:OwE9pawVFHA.2684@TK2MSFTNGP09.phx.gbl... >I have a page that users upload files. Is there a way to restrict the file > types that they can upload? > > thanks, > > -- > Chuck Foster > Programmer Analyst > Eclipsys Corporation - St. Vincent Health System > >  
Other interesting topics
ASP.NET Uploading Security Issue?
Distributed winforms application security system.security.securityexception WindowsIdentity role caching in ASP.NET High-strength crypto problems IsInRole groupname with white space. RSA Encrypt/Decrypt with OAEP. OAEP Decryption Error Impersonation code Pls Help! Passing credential between two web sites on same machin |
|||||||||||||||||||||||
