How to receive files with the specified content type by operating system

as i am trying to download a file and i am trying to check their extension as i know this is not good practice so this is the code i am doing. it works great, but since I am facing an issue on Apple Mac Users, they cannot download PDF files.

   if (upload1.HasFile)
      {
       Finfo = new FileInfo(upload1.PostedFile.FileName);
       if (Finfo.Extension.ToLower() == ".docx" || Finfo.Extension.ToLower() == ".doc" || Finfo.Extension.ToLower() == ".xls" ||
                            Finfo.Extension.ToLower() == ".xlsx" || Finfo.Extension.ToLower() == ".pdf" || Finfo.Extension.ToLower() == ".jpg" ||
                            Finfo.Extension.ToLower() == ".png" || Finfo.Extension.ToLower() == ".gif" || Finfo.Extension.ToLower() == ".txt" ||
                            Finfo.Extension.ToLower() == ".mp4" || Finfo.Extension.ToLower() == "ppt" || Finfo.Extension.ToLower() == ".bmp" ||
                            Finfo.Extension.ToLower() == ".swf" || Finfo.Extension.ToLower() == ".rm" || Finfo.Extension.ToLower() == ".pptx")
        {
           // Accept File 
        }
}

      

now what i thought i would use this code to solve the problem

if (
        upload1.PostedFile.ContentType == "text/rtf" ||
        upload1.PostedFile.ContentType == "application/doc" ||
        upload1.PostedFile.ContentType == "appl/text" ||
        upload1.PostedFile.ContentType == "application/vnd.msword" ||
        upload1.PostedFile.ContentType == "application/vnd.ms-word" ||
        upload1.PostedFile.ContentType == "application/winword" ||
        upload1.PostedFile.ContentType == "application/word" ||
        upload1.PostedFile.ContentType == "application/msword" ||       
        upload1.PostedFile.ContentType == "application/x-msw6" ||
        upload1.PostedFile.ContentType == "application/x-msword" ||
        upload1.PostedFile.ContentType == "application/pdf" ||
                        FileUpload1.PostedFile.ContentType == "application/x-pdf" ||
        upload1.PostedFile.ContentType == "application/vnd.openxmlformats-officedocument.wordprocessingml.document" ||
        upload1.PostedFile.ContentType == "application/vnd.openxmlformats-officedocument.wordprocessingml.template"
        )

      

This is a good way to accept files from users. I need to allow all files except EXE, DMG, DLL, CS, SQL, BAT ,. how can i make sure it will work on all operating systems.

  • Apple user can use OpenOffice or other software to download. so we have to allow this file type also

can someone tell me how to handle these situations

+3


source to share


8 answers


i The file extension is used and even the COntent type check is used. along with the fact that we limited the user not to upload other than office documents, even we tried Telerik Upload to achieve the functionality. thanks again to everyone who gave the answers.



0


source


The content type is mainly determined by the client, but basically the client cannot submit the content type, in which case checking the extension is the best way to check the file type. Or you should check both. We ran into an issue with some Mac clients not submitting content type.

If both are missing, you will need to check a few initial bytes of the file to check its type.



Content type is a bad idea, because if the user doesn't have the appropriate software, os will submit the wrong content type.

+2


source


When they download a file, should they be available immediately? What I have done in the past is to place them in a pending folder on the server and then at a given interval (although this might be a function called after the download). I am starting a small process that reads the first few bytes of data. Most of these file types have a header entry, often in plain text, for example PDF has "% PDF" as the first 4 characters. Executable files often start with "MZ" characters. Look in a hex editor (like TextPad). This is of course the final port of call, your security system, the first steps are to limit the suffix as you do it (although this is not a real guarantee of the contents of the file). You can also use MIME types to block specific Mime Type List typeswhich will help too. see here for example: http://forums.asp.net/p/1554764/3829242.aspx

Edit: Please note that some of these files you want to skip are just text files: .bat and .cs for example. Thus, MIME types or reading the start of the data will not help - so it is best to either disable these extensions or rename the extensions to .txt when saving to the server. They cannot do harm like text files with a .txt extension, as they will; will not be executable - you will also need to think about .reg too.

+1


source


The best way to do this is to use the FileOpenDialog component so that the user can select the file neatly by adding filters to the component (e.g. * .swf | swf files).

0


source


You need to keep a blacklist of content types since you know which types to block and not the types to be allowed, although this is a very safe practice later on.

I would recommend you run some kind of antivirus web service or scan before intercepting files like http://www.opswat.com/products/metascan

0


source


Have you checked this answer Using .NET, how can you find the mime type of a file based on the file signature and not the extension ?

Getting the mime type from the file is possible from the server side, and the black one is the ones you don't want.

Also, using the reg expression to filter the file type in the Open file dialog is somewhat unreliable since anyone can type, eg. in the filename field and upload any type of file.

0


source


"I need to allow all files except EXE, DMG, DLL, CS, SQL, BAT, how can I make sure it will work on all operating systems."

I would use the file extension as the first line of defense, then the content type, and then the file signature. Try using nested if statements at three levels to ensure the file goes all the way.

For this code:

if (Finfo.Extension.ToLower() == ".docx" || Finfo.Extension.ToLower() == ".doc" || Finfo.Extension.ToLower() == ".xls" ||.....

      

Why not just do the reverse logic for file extensions that are not allowed?

if (Finfo.Extension.ToLower() != ".exe" && !Finfo.Extension.ToLower() != ".dmg" && !Finfo.Extension.ToLower() != ".dll" &&.......etc

      

This will save you some code, especially if the target list is not finite and small. Think of a guy who can make changes to his code later .... maybe you: *)

0


source


You don't have to accept all file types - this is a huge security hole.

I suspect your problem might be user error. Can you verify that the 'mac' user has no open file while downloading it? There is no reason why booting from a Mac should behave differently from a PC.

We have a similar requirement and use the datatype and filename extension to determine what is being loaded. We have no problem with Mac, PC, Linux or others.

-4


source







All Articles