Check that uploaded photo is a JPEG

  • Thread starter Thread starter Chris Mahoney
  • Start date Start date
C

Chris Mahoney

Hi

I'm setting up a site where users will be able to upload photos. I'd
like to be able to ensure that they're uploading JPEGs, and not
malicious code. I've tried checking the MIME type, but that doesn't
seem to be reliable; for example if you rename an .exe to .jpg and
upload using Firefox, it returns "image/jpeg" (IE 6 returns
"application/octet-stream").

I understand that there probably isn't a surefire solution to this,
but a little security is better than none. Any advice? I'm using VB
2005 but I can read C# if I need to :)

Thanks
Chris
 
Hi

I'm setting up a site where users will be able to upload photos. I'd
like to be able to ensure that they're uploading JPEGs, and not
malicious code. I've tried checking the MIME type, but that doesn't
seem to be reliable; for example if you rename an .exe to .jpg and
upload using Firefox, it returns "image/jpeg" (IE 6 returns
"application/octet-stream").

I understand that there probably isn't a surefire solution to this,
but a little security is better than none. Any advice? I'm using VB
2005 but I can read C# if I need to :)

Thanks
Chris
Click to expand...

I would think the obvious (if not necessarily most efficient) solution
is to use System.Drawing.Image.FromFile(...): you can then check the
RawFormat property, or trap for any exceptions for invalid files. I
don't believe FromFile() can cause malicious code to execute.
 
Chris Mahoney said:
Hi

I'm setting up a site where users will be able to upload photos. I'd
like to be able to ensure that they're uploading JPEGs, and not
malicious code. I've tried checking the MIME type, but that doesn't
seem to be reliable; for example if you rename an .exe to .jpg and
upload using Firefox, it returns "image/jpeg" (IE 6 returns
"application/octet-stream").

I understand that there probably isn't a surefire solution to this,
but a little security is better than none. Any advice? I'm using VB
2005 but I can read C# if I need to :)

Thanks
Chris
Click to expand...

Hi Chris

First check it with HttpPostedFile.ContentType

Then try to create a System.Drawing.Image object from a given source. If
this succeeds, you can be fairly certain the source is a valid image. In
addition, check Img.RawFormat

Sample code:

Try
Dim Img as System.Drawing.Image =
System.Drawing.Image.FromFile("C:\MyImage.gif") 'FromStream(...)

if (Img.RawFormat.Equals(System.Drawing.Imaging.ImageFormat.Jpeg)) then
... ok
Else
... wrong
End if
Catch
... wrong
End Try
 
I would think the obvious (if not necessarily most efficient) solution
is to use System.Drawing.Image.FromFile(...): you can then check the
RawFormat property, or trap for any exceptions for invalid files. I
don't believe FromFile() can cause malicious code to execute.
Click to expand...

Then try to create a System.Drawing.Image object from a given source. If
this succeeds, you can be fairly certain the source is a valid image. In
addition, check Img.RawFormat
Click to expand...

Thanks to both of you for your help. So far it's worked with every
weird and wonderful combination I've thrown at it :)

Chris
 
Back
Top