Uploading .jpeg/.jpg's to a web server.

M

mike55

Contributor
Joined
Mar 26, 2004
Messages
727
Location
Ireland
Hi

I am successfully uploading the above files to a web server, prior to each file being uploaded, I check to see that it is the correct file type. But how can I check the contents of the file? i.e. how do i stop someone creating a script and saving it as as .jpeg/.jpg (don't even know if this is possible) and then uploading it to my web server and letting it cause absolute havock.

Mike55.
 
The following is code that I came across. Would appreciate it if anyone could indicate if by simple opening the file to check if it is a .jpg is sufficient, or if it is too late.

Code: 
   Dim sSavePath As String
        Dim sThumbExtension As String
        Dim intThumbWidth As Integer
        Dim intThumbHeight As Integer
        Dim sFilename As String

        sSavePath = "C:\Suretxtlog\Pictures\" '"~/images/"
        sThumbExtension = "_thumb"
        intThumbWidth = 160
        intThumbHeight = 120

        'If file field isn’t empty
        If IsNothing(filUpload.PostedFile) = False Then

            Dim myFile As HttpPostedFile = filUpload.PostedFile
            Dim nFileLen As Integer = myFile.ContentLength

            'Check file size (mustn’t be 0) 
            If nFileLen = 0 Then
                lblOutput.Text = "No file was uploaded."
                Return
            End If

            'Check file extension (must be JPG)
            If System.IO.Path.GetExtension(myFile.FileName).ToLower() <> ".jpg" Then
                lblOutput.Text = "The file must have an extension of JPG"
                Return
            End If

            'Read file into a data stream
            Dim myData() As Byte = New Byte(nFileLen) {}

            myFile.InputStream.Read(myData, 0, nFileLen)

            'Make sure a duplicate file doesn’t exist. If it does, keep on appending an incremental numeric until it is unique
            sFileName = System.IO.Path.GetFileName(myFile.FileName)
            Dim file_append As Integer = 0

            While System.IO.File.Exists(sSavePath & sFilename)
                file_append = file_append & 1
                sFilename = System.IO.Path.GetFileNameWithoutExtension(myFile.FileName) & file_append.ToString() & ".jpg"
            End While

            'Save the stream to disk
            Dim newFile As System.IO.FileStream = New System.IO.FileStream(sSavePath & sFilename, System.IO.FileMode.Create)

            newFile.Write(myData, 0, myData.Length)
            newFile.Close()

            ' Check whether the file is really a JPEG by opening it
            Try
                ' If jpg file is a jpeg, create a thumbnail filename that is unique.
                file_append = 0

                Dim sThumbFile As String = System.IO.Path.GetFileNameWithoutExtension(myFile.FileName) & sThumbExtension & ".jpg"

                While System.IO.File.Exists(sSavePath & sThumbFile)
                    file_append = file_append & 1
                    sThumbFile = sThumbFile & file_append
                    sThumbFile = System.IO.Path.GetFileNameWithoutExtension(myFile.FileName) & file_append.ToString(sThumbExtension & ".jpg")
                End While

                Dim ThumbnailCallback As System.Drawing.Image.GetThumbnailImageAbort
                Dim myCallBack As System.Drawing.Image.GetThumbnailImageAbort

                ' Save thumbnail and output it onto the webpage
                Dim mybitmap As Bitmap

                mybitmap = New Bitmap(sSavePath & sFilename)

                Dim mythumbnail As System.Drawing.Image

                mythumbnail = mybitmap.GetThumbnailImage(intThumbWidth, intThumbHeight, myCallBack, IntPtr.Zero)
                mythumbnail.Save(sSavePath & sThumbFile)
                imgPicture.ImageUrl = sSavePath & sThumbFile

                ' Displaying success information
                lblOutput.Text = "File uploaded successfully!"

                ' Destroy objects
                mythumbnail.Dispose()
                mybitmap.Dispose()
            Catch errArgument As ArgumentException
                ' The file wasn't a valid jpg file
                lblOutput.Text = "The file wasn't a valid jpg file."
                System.IO.File.Delete(sSavePath & sFilename)
            End Try
        End If

Mike55.
 
When the file is sent to your server it is just a stream of bytes without any meaning. The system doesn't care that it is a jpeg or not, a script or not - it will just pass a bunch of bytes.
The only meaning impossed on the data is by what you choose to do with it - if you save it as a .jpeg then expect errors if you try to display it or read it into an image variable but that wouldn't be enough to cause the script to actually execute.
 
If you're that scared, the jpeg is an open standard and every image format that I've seen has the beginning of the image file dedicated to metadata. You could check that the metadata is valid. E.x.: If the bytes uploaded is larger than the what the image is supposed to be, there's a problem. E.x.: a 1x1 pixel image shouldn't be 10mb, etc.
 
Back
Top