Re: Check that uploaded photo is a JPEG

On Feb 8, 1:06 pm, "Chris Mahoney" <chrismaho...@xxxxxxxxx> wrote:
Hi

I'm setting up a site where users will be able to upload photos. I'd
like to be able to ensure that they're uploading JPEGs, and not
malicious code. I've tried checking the MIME type, but that doesn't
seem to be reliable; for example if you rename an .exe to .jpg and
upload using Firefox, it returns "image/jpeg" (IE 6 returns
"application/octet-stream").

I understand that there probably isn't a surefire solution to this,
but a little security is better than none. Any advice? I'm using VB
2005 but I can read C# if I need to :)

Thanks
Chris

I would think the obvious (if not necessarily most efficient) solution
is to use System.Drawing.Image.FromFile(...): you can then check the
RawFormat property, or trap for any exceptions for invalid files. I
don't believe FromFile() can cause malicious code to execute.

.

Relevant Pages

  • [NEWS] Upload Lite Allows Remote Code Execution
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... attackers to upload malicious code to the server, ... the second temporary file does not. ...
    (Securiteam)
  • Re: Check that uploaded photo is a JPEG
    ... I'm setting up a site where users will be able to upload photos. ... like to be able to ensure that they're uploading JPEGs, ... malicious code. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Check that uploaded photo is a JPEG
    ... I'm setting up a site where users will be able to upload photos. ... like to be able to ensure that they're uploading JPEGs, ... malicious code. ...
    (microsoft.public.dotnet.framework.aspnet)