what is the best way to verify an uploaded image is indeed an

Thanks all for your input. Indeed, this method of checking the Rawformat doe
s
prevent renaming png to a gif, but it does not prevent a javascript
containing png to be uploaded as .png (no renaming). png containing
javascript code passes the Rawformat check.
IE issue can be seen here (I uploaded the file to my server). Just use IE to
view it:
http://www.sam-alice.com/fakegif_png.gif
this file is actually a png file (renamed to gif), and if you check it using
the Rawformat method, it is of imageformat.pngPNG is not officially supported in IE6 and before. I think there's some
broken and incomplete support caused the issue. I have confirmed with
product team that we now have full support for PNG in IE7. I just verified
that this issue no longer exist in IE7.
Regards,
Walter Wang (wawang@.online.microsoft.com, remove 'online.')
Microsoft Online Community Support
========================================
==========
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
========================================
==========
This posting is provided "AS IS" with no warranties, and confers no rights.
Lines: 7
Thread-Topic: what is the best way to verify an uploaded image is indeed an
thread-index: AcdXCbbMvrV+F5jhTyick5jMkMAa+Q==
X-WBNR-Posting-Host: 24.83.83.185
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
Xref: leafnode.mcse.ms microsoft.public.dotnet.framework.aspnet:44479
WRONG. The problem still exists in IE7. Did you check the link I gave you
using IE7?
Just copy and paste the link into IE7's address bar and hit enter, and you
will see a message popup.
Yes I've tested it in IE7 on Windows XP SP2. Visiting the URL shows some
symbols and script in window but no script is executed.
Exact IE7 builder number in about is 7.0.5730.11; what's yours?
Let me know your environment and I will try to find a similar environment
to test again. Thanks.
Regards,
Walter Wang (wawang@.online.microsoft.com, remove 'online.')
Microsoft Online Community Support
========================================
==========
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
========================================
==========
This posting is provided "AS IS" with no warranties, and confers no rights.
Sorry. I tested it on Vista again with IE7 build 7.0.6000.16386 and it did
execute the script.
I'll report this to product team. Thank you for your feedback!
Regards,
Walter Wang (wawang@.online.microsoft.com, remove 'online.')
Microsoft Online Community Support
========================================
==========
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
========================================
==========
This posting is provided "AS IS" with no warranties, and confers no rights.
I am using 7.0.5730.11 too on Windows XP. You did not see the script probabl
y
because you have something installed on your IE that prevents javascript fro
m
executing.
Test it with a pure IE environment and you will see the script in windows XP
too.
Hi,
Sorry for delayed reply. I was consulting this question with product team.
This is actually by design behavior and is controlled by the per zone
setting titled "Open files based on content, not file extension" which is
mime sniffing. Mime sniffing is the default behavior in the internet zone.
http://blogs.msdn.com/ie/archive/2005/02/01/364581.aspx
http://msdn.microsoft.com/library/d...etworking/monik
er/overview/appendix_a.asp
Since the mime sniffing behavior is turned on by default on client-side for
internet zone, I'm afraid the only solution here is to verify the mime of
uploaded file on the server, if it's not the correct one with the file
extension, then reject the file and prompt the user. The GDI+ Image class
is not helping here since the file is actually a valid PNG file for it.
I'll do further research to see if there's any better workaround.
Regards,
Walter Wang (wawang@.online.microsoft.com, remove 'online.')
Microsoft Online Community Support
========================================
==========
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
========================================
==========
This posting is provided "AS IS" with no warranties, and confers no rights.
========================================
====
I'm afraid the only solution here is to verify the mime of
uploaded file on the server, if it's not the correct one with the file
extension, then reject the file and prompt the user.
========================================
====
I understand this, but it is an IE only solution because as I said, Firefox
does not do such upload Mime type reporting and always report to the server
based on file extension.
The fake png is reported as text/html by IE, so I can reject it on the
server, but is reported as image/png by Firefox.
By the way, I don't think Mime type sniffing is working correctly in IE
because:
1) if you use the html img tag to embed the fake png in a document, the code
does not get executed, and a broken image is shown.
2) The code is only executed if you load the file directly using the address
bar.
3) My server reported the content-type as image/gif for the fake png (you
can verify it yourself)
If sniffing is done correctly, IE shouldn't sniff at all because server
response is regarded as authoritative in this document:
http://blogs.msdn.com/ie/archive/2005/02/01/364581.aspx
If everything that is said in the above document is true still in IE 7, then
IE does not handle gif image correctly. Why does it execute code for a GIF
image?
> 1) if you use the html img tag to embed the fake png in a document, the
code does not get executed, and a broken image is shown.
> 2) The code is only executed if you load the file directly using the
address
bar.
If you have an image tag pointing at an image, that we know that the web
page author is intending this to be an image. Based on that we can pass it
off to our image processing libraries and it can tell us if it is a valid
png/gif/jpg/etc and render it as such and those libraries don't know what
to do with script anyway. Eventually they just give us a bit map back to
display and not the html/script. If the website doesn't use an image tag
for the image, then IE has to determine what it is first and in steps mime
sniffing to do this.

> 3) My server reported the content-type as image/gif for the fake png (you
can verify it yourself)
> If sniffing is done correctly, IE shouldn't sniff at all because server
response is regarded as authoritative in this document:
http://blogs.msdn.com/ie/archive/2005/02/01/364581.aspx
We've tried to use the server response as authoritative but due to web
compat problems, mime sniffing is still the default setting in IE7.
I'm currently still discussing with a IE developer on this issue. I'll keep
you posted when I get further information on this. Thanks.
Regards,
Walter Wang (wawang@.online.microsoft.com, remove 'online.')
Microsoft Online Community Support
========================================
==========
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
========================================
==========
This posting is provided "AS IS" with no warranties, and confers no rights.