Question Detect the mime type of a file upload?

[Comotose]

Hi folks.

I want to allow members of a member site to upload images to a specific folder, the location of which is hard-coded.

I've got that part sorted OK, but it's very important that I be able to restrict the file types to certain image types (GIF JPG/JPEG PNG BMP) and that the file uploaded really be an image file, and not something potentially dangerous like a renamed .exe.

Now I realize I could take the long route and parse the filename, extract the extension and filter on that, but it's my understanding that, for various reasons, this is an insecure solution, and that it's much more preferable to get the required information from the mime type.

And that's where I'm stuck. I'm just starting out with VB.NET and so not capable of coming up with this myself.

What I really need is a generic ready-made mime detector class, which I have searched widely for. I did come up with one, but the JavaScript download links don't work (yes, I joined and logged in) and I haven't yet had a response from them about those links. The URL:

Detect file type or mime type based on content

A pity, because to my inexperienced eye it seems to be just what I need.

As .NET apparently doesn't provide any simple way to do mime detection, I would think this to be something a lot of people could use.

Any hints, pointers, suggestions most welcome.

 

[r3plica]

I am not sure what the issue is here, you can detect the file type before the file is uploaded and then you could (if you want it to be dynamic) hold a collection of allowed files types then when you start the upload process, you can do a loop through the collection to see if your file type matches any of the allowed file types.
It they do, then fine, upload the file and display a message, otherwise give the users a file type not allowed message.

 

[Comotose]

Well, my concern is the security of the upload.

Obviously I can easily filter the user's input client-side to only proceed with the upload if the filename extension matches a permitted image type.

But there are many ways a cyber-thug can upload say myimage.gif that contains executable code, and just about everything about a file can be manipulated -- even the image header can be manipulated quite easily.

I doubt there is any practical way to upload a file with 100% security against unintended and undesirable manipulation, so it comes down to making it as difficult for them as possible.

So all things considered your statement that "you can detect the file type before the file is uploaded" is actually the essence of my question: How?

Incidentally, the SitePoint book I'm using as my reference source while trying to learn VB.NET was published in 2004, so it's always possible that I'm not aware of new versions of some commands.

Or am I over-thinking the whole thing?

 

[r3plica]

If a use uploads a file, the upload control will store alot of information about that file.
For example after a user browsers for a file and presses your upload button, then they will have access to:

    Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click
        If FileUpload1.HasFile Then
            Dim pName As String = FileUpload1.FileName ' which is the file name
            Dim iSize As Integer = FileUpload1.PostedFile.ContentLength ' the file size
            Dim pType As String = FileUpload1.PostedFile.ContentType ' and the content type

            If IsValidType(pType) Then
                ' Show your Success and store the fil
            Else
                ' Don't upload the file and show your error
            End If
        End If
    End Sub

    Private Function IsValidType(ByVal pType As String) As Boolean
        Dim pMimeType As MimeCollection ' a predefined collection you have created
        pMimeType = ReturnMimeTypes()
        Dim pFoundType As Boolean = False

        For Each pMime As MimeType In pMimeType
            If pMime.Name = pType Then
                pFoundType = True
            End If
        Next

        Return pFoundType
    End Sub

I would assume that that is acceptable to upload a file. I wouldnt worry too much about people trying to trick your application code.
One thing you could do, is to have some sort of approval process, so images don't become live until they have been approved. That way you will not be distributing bad content to end users (including porn, etc).

I hope that helps.

 

[Comotose]

Thanks very much for that example -- I will test it out and see if if I can incorporate the protective aspect into my existing code.

 

[r3plica]

no problem

 

[Comotose]

BTW,where is this "reputation link" that's supposed to be at the top of your posts?

I always like to show my appreciation to helpful people.

EDIT: S'OK ... after leaving the page and coming back I could see the icon then.