How to verify/validate that only image has been uploaded

[Ankur]

Hi friends,
I am creating a photo sharing website where people can upload and share
photos in ASP.Net 2.0.
Ideally user should upload only image(bmp,jpg,jpeg,png...) files only, which
is a rare case when it comes to hackers and crackers trying to upload
different file format like txt,exe,ppt,rar...
So, I want to validate & ensure that only image file has been uploaded.
Please don't suggest me to check for file extension, if it ends with bmp or
jpg(all these are too kiddish).
I want some suggestion or program(a better option) in VB.Net or C# that
checks image headers or checksum or something similar or some class provided
by microsoft which accomplish the same task.
Below are 2 URLs I located while my course for verifing images:
homepages.ius.edu/rwisman/b481/PP%20lectures/WismanCG24.5.ppt
http://www.mikekunz.com/image_file_header.html
Any help is appreciated.
Thanks

 

[Hans Kesting]

Ankur formulated the question :

Hi friends,
I am creating a photo sharing website where people can upload and share
photos in ASP.Net 2.0.
Ideally user should upload only image(bmp,jpg,jpeg,png...) files only, which
is a rare case when it comes to hackers and crackers trying to upload
different file format like txt,exe,ppt,rar...
So, I want to validate & ensure that only image file has been uploaded.
Please don't suggest me to check for file extension, if it ends with bmp or
jpg(all these are too kiddish).
I want some suggestion or program(a better option) in VB.Net or C# that
checks image headers or checksum or something similar or some class provided
by microsoft which accomplish the same task.
Below are 2 URLs I located while my course for verifing images:
homepages.ius.edu/rwisman/b481/PP%20lectures/WismanCG24.5.ppt
http://www.mikekunz.com/image_file_header.html
Any help is appreciated.
Thanks

You could just try to load it into a Bitmap object. If it fails, it
isn't a (supported) bitmap-type.

You *could* first check if the file-header is correct (see your second
link), but if you are concerned about deliberately misformed files that
try to use buffer overflows to gain access to your system, that will
*not* help (the headers will say it's a correct jpeg file).

Hans Kesting

 

[Ankur]

Hi Hans,
I tried the following code(that loads file into Bitmap object), and it
seemed to distinguish images(all formats) and other files sucessfully.

Imports System

Public Class Form1
Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles MyBase.Load
Dim bm As New Bitmap("C:\test.gif")
End Sub
End Class

Now, is it still necessary to check the headers or we could consider it
enough for verifing that the file is an image file.

One more thing, you did talked about deliberately misformed file with image
file's header but try for buffer overflow. Can you provide me some such
sample file or upload it somewhere and fwd the link for my testing. I don't
know much about graphics and hence incapable of even specifying minimum
headers information and all that jazz. I could only create images using
Standard Libraries provided by Microsoft.
Thanks.

 

[Hans Kesting]

Ankur expressed precisely :

Hi Hans,
I tried the following code(that loads file into Bitmap object), and it
seemed to distinguish images(all formats) and other files sucessfully.

Imports System

Public Class Form1
Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles MyBase.Load
Dim bm As New Bitmap("C:\test.gif")
End Sub
End Class

Now, is it still necessary to check the headers or we could consider it
enough for verifing that the file is an image file.

One more thing, you did talked about deliberately misformed file with image
file's header but try for buffer overflow. Can you provide me some such
sample file or upload it somewhere and fwd the link for my testing. I don't
know much about graphics and hence incapable of even specifying minimum
headers information and all that jazz. I could only create images using
Standard Libraries provided by Microsoft.
Thanks.

If the files load successfully into that Bitmap, then it's not
necessary to check the headers. The load process undoubtedly also
checks those headers.

The remark about malformed files was because you mentioned "hackers". I
don't have any examples but there were some problems in jpeg processing
(see http://www.microsoft.com/technet/security/Bulletin/MS04-028.mspx,
from sept *2004*).

Hans Kesting

 

[Ankur]

thanks Hans, for all your help.
cheers

Ankur expressed precisely :

If the files load successfully into that Bitmap, then it's not
necessary to check the headers. The load process undoubtedly also
checks those headers.

The remark about malformed files was because you mentioned "hackers". I
don't have any examples but there were some problems in jpeg processing
(see http://www.microsoft.com/technet/security/Bulletin/MS04-028.mspx,
from sept *2004*).

Hans Kesting