How to verify/validate that only image has been uploaded

Discussion in 'ASP .Net' started by Ankur, Jan 6, 2009.

  1. Ankur

    Ankur Guest

    Hi friends,
    I am creating a photo sharing website where people can upload and share
    photos in ASP.Net 2.0.
    Ideally user should upload only image(bmp,jpg,jpeg,png...) files only, which
    is a rare case when it comes to hackers and crackers trying to upload
    different file format like txt,exe,ppt,rar...
    So, I want to validate & ensure that only image file has been uploaded.
    Please don't suggest me to check for file extension, if it ends with bmp or
    jpg(all these are too kiddish).
    I want some suggestion or program(a better option) in VB.Net or C# that
    checks image headers or checksum or something similar or some class provided
    by microsoft which accomplish the same task.
    Below are 2 URLs I located while my course for verifing images:
    homepages.ius.edu/rwisman/b481/PP%20lectures/WismanCG24.5.ppt
    http://www.mikekunz.com/image_file_header.html
    Any help is appreciated.
    Thanks
     
    Ankur, Jan 6, 2009
    #1
    1. Advertising

  2. Ankur

    Hans Kesting Guest

    Ankur formulated the question :
    > Hi friends,
    > I am creating a photo sharing website where people can upload and share
    > photos in ASP.Net 2.0.
    > Ideally user should upload only image(bmp,jpg,jpeg,png...) files only, which
    > is a rare case when it comes to hackers and crackers trying to upload
    > different file format like txt,exe,ppt,rar...
    > So, I want to validate & ensure that only image file has been uploaded.
    > Please don't suggest me to check for file extension, if it ends with bmp or
    > jpg(all these are too kiddish).
    > I want some suggestion or program(a better option) in VB.Net or C# that
    > checks image headers or checksum or something similar or some class provided
    > by microsoft which accomplish the same task.
    > Below are 2 URLs I located while my course for verifing images:
    > homepages.ius.edu/rwisman/b481/PP%20lectures/WismanCG24.5.ppt
    > http://www.mikekunz.com/image_file_header.html
    > Any help is appreciated.
    > Thanks


    You could just try to load it into a Bitmap object. If it fails, it
    isn't a (supported) bitmap-type.

    You *could* first check if the file-header is correct (see your second
    link), but if you are concerned about deliberately misformed files that
    try to use buffer overflows to gain access to your system, that will
    *not* help (the headers will say it's a correct jpeg file).

    Hans Kesting
     
    Hans Kesting, Jan 6, 2009
    #2
    1. Advertising

  3. Ankur

    Ankur Guest

    Hi Hans,
    I tried the following code(that loads file into Bitmap object), and it
    seemed to distinguish images(all formats) and other files sucessfully.

    Imports System

    Public Class Form1
    Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As
    System.EventArgs) Handles MyBase.Load
    Dim bm As New Bitmap("C:\test.gif")
    End Sub
    End Class

    Now, is it still necessary to check the headers or we could consider it
    enough for verifing that the file is an image file.

    One more thing, you did talked about deliberately misformed file with image
    file's header but try for buffer overflow. Can you provide me some such
    sample file or upload it somewhere and fwd the link for my testing. I don't
    know much about graphics and hence incapable of even specifying minimum
    headers information and all that jazz. I could only create images using
    Standard Libraries provided by Microsoft.
    Thanks.

    "Hans Kesting" wrote:

    > Ankur formulated the question :
    > > Hi friends,
    > > I am creating a photo sharing website where people can upload and share
    > > photos in ASP.Net 2.0.
    > > Ideally user should upload only image(bmp,jpg,jpeg,png...) files only, which
    > > is a rare case when it comes to hackers and crackers trying to upload
    > > different file format like txt,exe,ppt,rar...
    > > So, I want to validate & ensure that only image file has been uploaded.
    > > Please don't suggest me to check for file extension, if it ends with bmp or
    > > jpg(all these are too kiddish).
    > > I want some suggestion or program(a better option) in VB.Net or C# that
    > > checks image headers or checksum or something similar or some class provided
    > > by microsoft which accomplish the same task.
    > > Below are 2 URLs I located while my course for verifing images:
    > > homepages.ius.edu/rwisman/b481/PP%20lectures/WismanCG24.5.ppt
    > > http://www.mikekunz.com/image_file_header.html
    > > Any help is appreciated.
    > > Thanks

    >
    > You could just try to load it into a Bitmap object. If it fails, it
    > isn't a (supported) bitmap-type.
    >
    > You *could* first check if the file-header is correct (see your second
    > link), but if you are concerned about deliberately misformed files that
    > try to use buffer overflows to gain access to your system, that will
    > *not* help (the headers will say it's a correct jpeg file).
    >
    > Hans Kesting
    >
    >
    >
     
    Ankur, Jan 7, 2009
    #3
  4. Ankur

    Hans Kesting Guest

    Ankur expressed precisely :
    > Hi Hans,
    > I tried the following code(that loads file into Bitmap object), and it
    > seemed to distinguish images(all formats) and other files sucessfully.
    >
    > Imports System
    >
    > Public Class Form1
    > Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As
    > System.EventArgs) Handles MyBase.Load
    > Dim bm As New Bitmap("C:\test.gif")
    > End Sub
    > End Class
    >
    > Now, is it still necessary to check the headers or we could consider it
    > enough for verifing that the file is an image file.
    >
    > One more thing, you did talked about deliberately misformed file with image
    > file's header but try for buffer overflow. Can you provide me some such
    > sample file or upload it somewhere and fwd the link for my testing. I don't
    > know much about graphics and hence incapable of even specifying minimum
    > headers information and all that jazz. I could only create images using
    > Standard Libraries provided by Microsoft.
    > Thanks.
    >


    If the files load successfully into that Bitmap, then it's not
    necessary to check the headers. The load process undoubtedly also
    checks those headers.

    The remark about malformed files was because you mentioned "hackers". I
    don't have any examples but there were some problems in jpeg processing
    (see http://www.microsoft.com/technet/security/Bulletin/MS04-028.mspx,
    from sept *2004*).

    Hans Kesting


    > "Hans Kesting" wrote:
    >
    >> Ankur formulated the question :
    >>> Hi friends,
    >>> I am creating a photo sharing website where people can upload and share
    >>> photos in ASP.Net 2.0.
    >>> Ideally user should upload only image(bmp,jpg,jpeg,png...) files only,
    >>> which is a rare case when it comes to hackers and crackers trying to
    >>> upload different file format like txt,exe,ppt,rar...
    >>> So, I want to validate & ensure that only image file has been uploaded.
    >>> Please don't suggest me to check for file extension, if it ends with bmp or
    >>> jpg(all these are too kiddish).
    >>> I want some suggestion or program(a better option) in VB.Net or C# that
    >>> checks image headers or checksum or something similar or some class
    >>> provided by microsoft which accomplish the same task.
    >>> Below are 2 URLs I located while my course for verifing images:
    >>> homepages.ius.edu/rwisman/b481/PP%20lectures/WismanCG24.5.ppt
    >>> http://www.mikekunz.com/image_file_header.html
    >>> Any help is appreciated.
    >>> Thanks

    >>
    >> You could just try to load it into a Bitmap object. If it fails, it
    >> isn't a (supported) bitmap-type.
    >>
    >> You *could* first check if the file-header is correct (see your second
    >> link), but if you are concerned about deliberately misformed files that
    >> try to use buffer overflows to gain access to your system, that will
    >> *not* help (the headers will say it's a correct jpeg file).
    >>
    >> Hans Kesting
    >>
    >>
    >>
     
    Hans Kesting, Jan 7, 2009
    #4
  5. Ankur

    Ankur Guest

    thanks Hans, for all your help.
    cheers

    "Hans Kesting" wrote:

    > Ankur expressed precisely :
    > > Hi Hans,
    > > I tried the following code(that loads file into Bitmap object), and it
    > > seemed to distinguish images(all formats) and other files sucessfully.
    > >
    > > Imports System
    > >
    > > Public Class Form1
    > > Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As
    > > System.EventArgs) Handles MyBase.Load
    > > Dim bm As New Bitmap("C:\test.gif")
    > > End Sub
    > > End Class
    > >
    > > Now, is it still necessary to check the headers or we could consider it
    > > enough for verifing that the file is an image file.
    > >
    > > One more thing, you did talked about deliberately misformed file with image
    > > file's header but try for buffer overflow. Can you provide me some such
    > > sample file or upload it somewhere and fwd the link for my testing. I don't
    > > know much about graphics and hence incapable of even specifying minimum
    > > headers information and all that jazz. I could only create images using
    > > Standard Libraries provided by Microsoft.
    > > Thanks.
    > >

    >
    > If the files load successfully into that Bitmap, then it's not
    > necessary to check the headers. The load process undoubtedly also
    > checks those headers.
    >
    > The remark about malformed files was because you mentioned "hackers". I
    > don't have any examples but there were some problems in jpeg processing
    > (see http://www.microsoft.com/technet/security/Bulletin/MS04-028.mspx,
    > from sept *2004*).
    >
    > Hans Kesting
    >
    >
    > > "Hans Kesting" wrote:
    > >
    > >> Ankur formulated the question :
    > >>> Hi friends,
    > >>> I am creating a photo sharing website where people can upload and share
    > >>> photos in ASP.Net 2.0.
    > >>> Ideally user should upload only image(bmp,jpg,jpeg,png...) files only,
    > >>> which is a rare case when it comes to hackers and crackers trying to
    > >>> upload different file format like txt,exe,ppt,rar...
    > >>> So, I want to validate & ensure that only image file has been uploaded.
    > >>> Please don't suggest me to check for file extension, if it ends with bmp or
    > >>> jpg(all these are too kiddish).
    > >>> I want some suggestion or program(a better option) in VB.Net or C# that
    > >>> checks image headers or checksum or something similar or some class
    > >>> provided by microsoft which accomplish the same task.
    > >>> Below are 2 URLs I located while my course for verifing images:
    > >>> homepages.ius.edu/rwisman/b481/PP%20lectures/WismanCG24.5.ppt
    > >>> http://www.mikekunz.com/image_file_header.html
    > >>> Any help is appreciated.
    > >>> Thanks
    > >>
    > >> You could just try to load it into a Bitmap object. If it fails, it
    > >> isn't a (supported) bitmap-type.
    > >>
    > >> You *could* first check if the file-header is correct (see your second
    > >> link), but if you are concerned about deliberately misformed files that
    > >> try to use buffer overflows to gain access to your system, that will
    > >> *not* help (the headers will say it's a correct jpeg file).
    > >>
    > >> Hans Kesting
    > >>
    > >>
    > >>

    >
    >
    >
     
    Ankur, Jan 12, 2009
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Matt G
    Replies:
    1
    Views:
    1,202
    Deepak Kumar Vasudevan
    Aug 22, 2003
  2. Replies:
    8
    Views:
    505
    Toby Inkster
    Aug 7, 2006
  3. =?Utf-8?B?U2FtdWVs?=
    Replies:
    14
    Views:
    552
    Walter Wang [MSFT]
    Mar 2, 2007
  4. Replies:
    0
    Views:
    350
  5. asimhg
    Replies:
    0
    Views:
    914
    asimhg
    Feb 4, 2010
Loading...

Share This Page