Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to restrict/validate file upload filetypes server side on IIS

I would like to have a whitelist of filetypes that users are authorized to upload to my IIS server (im using IIS v7.5).

What is the options that i have? For example, to restrict filesize to 5MB for a specific action in my controller, i added this section to my webconfig:

<location path="home/fileupload">
  <system.web>
    <!-- maxRequestLength is in kilobytes (KB) -->
    <httpRuntime maxRequestLength="5120" /> <!-- 5MB -->
  </system.web>
  <system.webServer>
    <security>
      <requestFiltering>
        <!-- maxAllowedContentLength is in bytes -->
        <requestLimits maxAllowedContentLength="5242880"/> <!-- 5MB -->
      </requestFiltering>
    </security>
  </system.webServer>
</location>

Is there an option in the webconfig to set a whitelist of allowed filetypes? Or is the only option is to validate the filetypes in code when the file is fully uploaded? What is the recommended technics? How can i be sure that the .docx, .pdf, .jpg, etc are really what they are?

like image 961
Alexandre Jobin Avatar asked Aug 10 '12 16:08

Alexandre Jobin


2 Answers

Since you are wanting server side you could use the files mime type.

THIS post shows how to determine the MIME type based on the files contents (instead of by the extension).

If you do want to limit the input to SPECIFIC file extension you could simply check the input name against what you want to accept. If this passes you could do an xref against the library in the post I linked to make sure the user didn't just change the file extension on you.

Doing this would provide a pretty good degree of certainty that the file is one that you want to accept!

EDIT: Based on comments so far.... Based on what you have said you are looking for this method should work quite nicely for you. My suggestion if you are simply wanting to limit it to the types of files listed in one of you comments... Do a simple check on the file extension. If that is valid then pass the file to the urlmon.dll listed in the link. Make sure it doesn't come back as an invalid type....aka Executable/java/zip/etc. If it isn't an invalid type then you will have a very high degree of certainty that it is a safe file!

Lastly, reading through the comments on that post it looks like the urlmon.dll might support all the file types you are wanting implicitly which would remove the need to check that it isn't an executable or something of that nature, but you would need to confirm the doc/docx/xsl/xslx do return a valid mime type.

like image 195
Jared Avatar answered Oct 23 '22 06:10

Jared


No, there is no web.config setting to restrict what gets uploaded. The only possible way to validate uploaded data is to actually validate that data in code.

Even if there were a setting, it would be useless anyway because it would be based on the Content-Type headers received from the client, which can be quite wrong.

In code, you can certainly look at the Content-Type header, but if you're trying to validate that the uploaded data is of a specific type, you're going to have to do so manually, based on what kind of data you are expecting. For an image, this is easy. For other file types, it can be a lot harder.

like image 1
dodexahedron Avatar answered Oct 23 '22 04:10

dodexahedron