Hi,
I have a web app that allows others to upload files, and the problem is that
if I allow users to upload image files, fake image can be uploaded and cause
XSS issues.
In the app, I do check image dimension when uploaded so that any fake image
that is actually a text file is blocked (user renames a .txt to .gif, e.g.).
However, a png file renamed to .gif can contain script that when loaded
directly in IE (type the image URL in IE and hit enter, e.g.), the embeded
script is executed by IE's JS engine. Dimension check always return valid
height and width so it does not help prevent the issue.
So, my question is: What's the best way to verify an uploaded image's true
identity? I mean, how do i determine when an uploaded image ends with .gif,
it is indeed a valid GIF file (and so on for other common image types used o
n
the web)? Is there a .NET method that can be used to verify the identity?
I am using
g = System.Drawing.Image.FromFile(theFilePath)
height_ = g.Height
Width_ = g.Width
and it does not help the situation I mentioned above.Hi,
You should check the uploaded file's ContentType to determine the real file
type, the ContentType will return "image/x-png" for a PNG file and
"image/gif" for a GIF file regardless the file extension:
protected void Button1_Click(object sender, EventArgs e)
{
if (FileUpload1.HasFile)
{
string ct = FileUpload1.PostedFile.ContentType;
Response.Write(ct);
}
}
Hope this helps.
Sincerely,
Walter Wang (wawang@.online.microsoft.com, remove 'online.')
Microsoft Online Community Support
========================================
==========
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscript...ault.aspx#notif
ications. If you are using Outlook Express, please make sure you clear the
check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
promptly.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscript...t/default.aspx.
========================================
==========
This posting is provided "AS IS" with no warranties, and confers no rights.
Howdy,
After image is successfully loaded from the stream check the RawFormat
property to find out what’s the real image format
if (g.RawFormat == System.Drawing.Imaging.Png)
{
}
hope this helps
--
Milosz
"Samuel" wrote:
> Hi,
> I have a web app that allows others to upload files, and the problem is th
at
> if I allow users to upload image files, fake image can be uploaded and cau
se
> XSS issues.
> In the app, I do check image dimension when uploaded so that any fake imag
e
> that is actually a text file is blocked (user renames a .txt to .gif, e.g.
).
> However, a png file renamed to .gif can contain script that when loaded
> directly in IE (type the image URL in IE and hit enter, e.g.), the embeded
> script is executed by IE's JS engine. Dimension check always return valid
> height and width so it does not help prevent the issue.
> So, my question is: What's the best way to verify an uploaded image's true
> identity? I mean, how do i determine when an uploaded image ends with .gif
,
> it is indeed a valid GIF file (and so on for other common image types used
on
> the web)? Is there a .NET method that can be used to verify the identity?
> I am using
> g = System.Drawing.Image.FromFile(theFilePath)
> height_ = g.Height
> Width_ = g.Width
> and it does not help the situation I mentioned above.
Thank Milosz for your input.
You're right that to determine the real image type, we could check the
RawFormat property of Image class. The ImageFormat
(http://msdn2.microsoft.com/en-us/li...ing.imageformat
aspx) class ( uses GDI+ Image::GetRawFormat
(http://msdn2.microsoft.com/en-us/library/ms535393.aspx) which uses a GUID
to uniquely identify an image format.
Here's some code to test it:
string dir = Path.Combine(AppDomain.CurrentDomain.BaseDirectory,
@."..\..\..\");
Console.WriteLine("Png: " + ImageFormat.Png.Guid);
Console.WriteLine("Gif: " + ImageFormat.Gif.Guid);
string[] files = { "real.png", "real.gif", "fake.png", "fake.gif" };
Image[] imgs = new Image[files.Length];
for (int i = 0; i < files.Length; i++)
{
imgs[i] = Image.FromFile(dir + files[i]);
Console.WriteLine(files[i] + ": " + imgs[i].RawFormat.Guid);
if (imgs[i].RawFormat.Guid == ImageFormat.Png.Guid)
{
Console.WriteLine(files[i] + ": PNG");
}
else if (imgs[i].RawFormat.Guid == ImageFormat.Gif.Guid)
{
Console.WriteLine(files[i] + ": GIF");
}
}
Regards,
Walter Wang (wawang@.online.microsoft.com, remove 'online.')
Microsoft Online Community Support
========================================
==========
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
========================================
==========
This posting is provided "AS IS" with no warranties, and confers no rights.
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment