Secure Image upload

[transparent]

I'm building a website that will allow users to upload images.

I want to ensure that they only upload jpg or gif.

I could just check the extension, but that seems very insecure to me.

So, I want to prevent people being able to upload files (an exe for example) with a jpg or gif extension.

Further, I want to flag images that may be inappropriate i.e. I want to prevent people uploading porn. I was thinking I could look at the pink content?

Thoughts?

 

[ca8msm]

You did say that your app would crash:

if my code expects and image or jpg and trys to perform GDI operations, my app will crash

which is why I said you should include error handling.

Yes you should try to validate user input as much as possible, but error handling is equally as important (especially as errors may occur that you are not expecting).


____________________________________________________________

Need help finding an answer?

Try the Search Facility or read FAQ222-2244 on how to get better results.

 

[transparent]

This was an example to demonstrate that just changing the file extension was not a valid solution to the problem!

Anyway...

The try catch statement merely executes the enclosed code in isolation of the stack (which in itself can be expensive) so that your application doesnt crash.

So they have their place, so long as the developer uses them to handle unexpected situations.

So, if you know something is going to fail (i.e. the situation we have been discussing), use code to avoid the issue other than exception handling!

I think we may be converging on a similar point of view.

 

[ca8msm]

I think we may be converging on a similar point of view.

I think you may be right! My response about error handling was down to your quote "my app will crash" so as long as you know this then it seems as you are going about it correctly.

As for the actual problem of checking if a file is actaully an image, I'm not to sure how easy it will be. As we've discussed earlier the two following points don't actually determine the validity of an image:

1) File Extension
2) Content Type

A possible solution (I haven't had the need to do this myself so these are mostly guesswork) may be found by using the System.Drawing.Image class to determine certain attributes (i.e. setting an image to equal the file, verifying the call and checking pixels for example).


____________________________________________________________

Need help finding an answer?

Try the Search Facility or read FAQ222-2244 on how to get better results.

 

[transparent]

Its looking more and more like I'm going to have to implement a parser that will extract info from the files header.

ie.

public abstract class ImageValidaton
{

public static bool IsJpeg(byte[] rawData)
{
//Stuff here
return true;
}

public static bool IsGif(byte[] rawData)
{
//Stuff here
return true;
}

}

 

[BillyRayPreachersSon]

I was thinking I could look at the pink content?

Don't forget to look at black content as well for all that inter-racial porn!



Dan


[tt]Dan's Page [blue]@[/blue] Code Couch

http://www.codecouch.com/dan/

[/tt]