All geek questions in one place

How to limit / check file upload of files on server side on IIS

I would like to have a white list of file types that users can upload to my IIS server (im using IIS v7.5).

What are the options that I have? For example, to limit the file size to 5 MB for a specific action in my controller, I added this section to my web interface:

<location path="home/fileupload"> <system.web> <!-- maxRequestLength is in kilobytes (KB) --> <httpRuntime maxRequestLength="5120" /> <!-- 5MB --> </system.web> <system.webServer> <security> <requestFiltering> <!-- maxAllowedContentLength is in bytes --> <requestLimits maxAllowedContentLength="5242880"/> <!-- 5MB --> </requestFiltering> </security> </system.webServer> </location>

Is there an option in webconfig for setting a whitelist of allowed file types? Or the only option is to check the file types in the code when the file is fully loaded? What is the recommended technique? How can I be sure that .docx, .pdf, .jpg, etc. Really what they are?

+6
source share
3 answers

Since you need the server side, you can use the mime file type.

This post shows how to determine the MIME type based on the contents of the files (rather than the extension).

If you want to limit the input to the SPECIFIC file extension, you can simply check the input name for what you want to accept. If this goes away, you can do xref against the library in the message that I linked, to make sure that the user did not just change the file extension for you.

This will provide a fairly high degree of confidence that the file is the one you want to accept!

EDIT: Based on the comments so far .... Based on what you said, you are looking for this method that should work well for you. My suggestion is if you just want to limit it to the file types listed in one of your comments ... Do a simple check on the file extension. If this is the case, transfer the file to urlmon.dll specified in the link. Make sure that it is not returned as an invalid type. Aka executable file / java / zip / etc. If this is not an invalid type, then you will have a very high degree of confidence that it is a safe file!

Finally, after reading the comments on this post, it looks like urlmon.dll can support all types of files that you want implicitly, which saves you from having to check that it is not an executable file or something like that, but you will need to confirm so that doc / docx / xsl / xslx will return a valid mime type.

+3
source

No, there is no web.config setting to limit what loads. The only possible way to verify the downloaded data is to actually verify that data in code.

Even if there were settings, it would be useless anyway, because it would be based on Content-Type headers received from the client, which could be completely wrong.

In the code, you can of course look at the Content-Type header, but if you are trying to verify that the downloaded data is of a specific type, you will have to do it manually based on what type of data you expect. For an image it's easy. For other types of files, this can be much more complicated.

+1
source

Anotations data is what you are looking for, here is a search that can help you, Google anotaions data

Update

I think he refuses file extensions. If you don't want to rely on file extensions , I think your best bet is to check the MIME types . It is more complex and varies from browser to browser and can be fake (although it is more complicated than faking an extension).

A simple but not free option is to use Telerik RadAsyncUpload .

You could write this code yourself (although I never messed it up) this can help you get started. (This post is about the fact that you cannot reliably detect mime types without IIS, but it should take you along the way.)

I hope you succeed. As you know, you can limit files by their size, check them with extensions, and if you add confirmation on MIME types, I think you did everything you could. I think this is all you can do to be safe and not exclude valid files; although I heard about file hashing and some other options; but they most defiantly exclude legitimate files.

In addition, as I already mentioned, MIME types can be fakes and sent to your server to be more secure, you should check both on the client side and on the server side.

0
source

Source: https://habr.com/ru/post/922595/

More articles:


All Articles