Re: How to verify/validate that only image has been uploaded
- From: Hans Kesting <news.hansdk@xxxxxxxxxxxxxxx>
- Date: Wed, 07 Jan 2009 09:45:04 +0100
Ankur expressed precisely :
Hi Hans,
I tried the following code(that loads file into Bitmap object), and it seemed to distinguish images(all formats) and other files sucessfully.
Imports System
Public Class Form1
Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
Dim bm As New Bitmap("C:\test.gif")
End Sub
End Class
Now, is it still necessary to check the headers or we could consider it enough for verifing that the file is an image file.
One more thing, you did talked about deliberately misformed file with image file's header but try for buffer overflow. Can you provide me some such sample file or upload it somewhere and fwd the link for my testing. I don't know much about graphics and hence incapable of even specifying minimum headers information and all that jazz. I could only create images using Standard Libraries provided by Microsoft.
Thanks.
If the files load successfully into that Bitmap, then it's not necessary to check the headers. The load process undoubtedly also checks those headers.
The remark about malformed files was because you mentioned "hackers". I don't have any examples but there were some problems in jpeg processing (see http://www.microsoft.com/technet/security/Bulletin/MS04-028.mspx, from sept *2004*).
Hans Kesting
"Hans Kesting" wrote:
Ankur formulated the question :Hi friends,
I am creating a photo sharing website where people can upload and share photos in ASP.Net 2.0.
Ideally user should upload only image(bmp,jpg,jpeg,png...) files only, which is a rare case when it comes to hackers and crackers trying to upload different file format like txt,exe,ppt,rar...
So, I want to validate & ensure that only image file has been uploaded.
Please don't suggest me to check for file extension, if it ends with bmp or jpg(all these are too kiddish).
I want some suggestion or program(a better option) in VB.Net or C# that checks image headers or checksum or something similar or some class provided by microsoft which accomplish the same task.
Below are 2 URLs I located while my course for verifing images:
homepages.ius.edu/rwisman/b481/PP%20lectures/WismanCG24.5.ppt
http://www.mikekunz.com/image_file_header.html
Any help is appreciated.
Thanks
You could just try to load it into a Bitmap object. If it fails, it isn't a (supported) bitmap-type.
You *could* first check if the file-header is correct (see your second link), but if you are concerned about deliberately misformed files that try to use buffer overflows to gain access to your system, that will *not* help (the headers will say it's a correct jpeg file).
Hans Kesting
.
- Follow-Ups:
- References:
- How to verify/validate that only image has been uploaded
- From: Ankur
- Re: How to verify/validate that only image has been uploaded
- From: Hans Kesting
- Re: How to verify/validate that only image has been uploaded
- From: Ankur
- How to verify/validate that only image has been uploaded
- Prev by Date: Re: How to verify/validate that only image has been uploaded
- Next by Date: RE: Gridview samples
- Previous by thread: Re: How to verify/validate that only image has been uploaded
- Next by thread: Re: How to verify/validate that only image has been uploaded
- Index(es):
Relevant Pages
|
