Check that uploaded photo is a JPEG

[Chris Mahoney]

Hi

I'm setting up a site where users will be able to upload photos. I'd
like to be able to ensure that they're uploading JPEGs, and not
malicious code. I've tried checking the MIME type, but that doesn't
seem to be reliable; for example if you rename an .exe to .jpg and
upload using Firefox, it returns "image/jpeg" (IE 6 returns
"application/octet-stream").

I understand that there probably isn't a surefire solution to this,
but a little security is better than none. Any advice? I'm using VB
2005 but I can read C# if I need to

Thanks
Chris

 

[wizofaus]

Hi

I'm setting up a site where users will be able to upload photos. I'd
like to be able to ensure that they're uploading JPEGs, and not
malicious code. I've tried checking the MIME type, but that doesn't
seem to be reliable; for example if you rename an .exe to .jpg and
upload using Firefox, it returns "image/jpeg" (IE 6 returns
"application/octet-stream").

I understand that there probably isn't a surefire solution to this,
but a little security is better than none. Any advice? I'm using VB
2005 but I can read C# if I need to

Thanks
Chris

I would think the obvious (if not necessarily most efficient) solution
is to use System.Drawing.Image.FromFile(...): you can then check the
RawFormat property, or trap for any exceptions for invalid files. I
don't believe FromFile() can cause malicious code to execute.

 

[Guest]

Hi

I'm setting up a site where users will be able to upload photos. I'd
like to be able to ensure that they're uploading JPEGs, and not
malicious code. I've tried checking the MIME type, but that doesn't
seem to be reliable; for example if you rename an .exe to .jpg and
upload using Firefox, it returns "image/jpeg" (IE 6 returns
"application/octet-stream").

I understand that there probably isn't a surefire solution to this,
but a little security is better than none. Any advice? I'm using VB
2005 but I can read C# if I need to

Thanks
Chris

Hi Chris

First check it with HttpPostedFile.ContentType

Then try to create a System.Drawing.Image object from a given source. If
this succeeds, you can be fairly certain the source is a valid image. In
addition, check Img.RawFormat

Sample code:

Try
Dim Img as System.Drawing.Image =
System.Drawing.Image.FromFile("C:\MyImage.gif") 'FromStream(...)

if (Img.RawFormat.Equals(System.Drawing.Imaging.ImageFormat.Jpeg)) then
... ok
Else
... wrong
End if
Catch
... wrong
End Try

 

[Chris Mahoney]

I would think the obvious (if not necessarily most efficient) solution
is to use System.Drawing.Image.FromFile(...): you can then check the
RawFormat property, or trap for any exceptions for invalid files. I
don't believe FromFile() can cause malicious code to execute.

Then try to create a System.Drawing.Image object from a given source. If
this succeeds, you can be fairly certain the source is a valid image. In
addition, check Img.RawFormat

Thanks to both of you for your help. So far it's worked with every
weird and wonderful combination I've thrown at it

Chris