Checking file type with ASP

[jamiecottonuk]

Hi all,

I know how to check to see what a filenames extension is and to check to see if its valid.

The problem comes when a filenames extension is valid, but it may still contain harmful information. Imagine a scenario where a user creates a virus and renames it to photo.gif. This will get past the file extension validation.

How do I check to see if the file is a valid image or not

 

[Sheco]

Perhaps all files could be scanned?

Parsing the image header is an option if you only have GIF but if you support multiple formats it would be a lot of work.

Alternatively perhaps attempt to open the image file in ASP using a COM object and reject the upload if the image is unable to be opened. There was a buffer overrun exploit that could be embedded in one of the image formats a year or two back so you'd want to make sure your COM/ActiveX solution took advantage of this.

Scanning all files regardless of extension would probably be best. Even MS Word docs can have a virus.