June 3rd, 2004, 03:51 PM
I have an intern working on a project that will allow users to upload PDF files to a web server. The user should *only* be allowed to upload PDF files, nothing else. The intern's method for checking is to check the "ContentType" of the file to make sure it is "application/pdf". Maybe I'm way off base here, but can't that be faked? It seems to me that that is something that is sent from the client browser when the file is uploaded and can therefore be changed. OR does ASP figure it out by itself?
June 3rd, 2004, 04:26 PM
I don't know much about ASP so I could be wrong but from what I found on a quick google search leads me to beleive that it's just going to check the file extension. I don't think it checks the actual file format, like I said though I don't know much about ASP so I could be wrong. Someone please correct me if I'm wrong.
So much to learn, so little time.
June 3rd, 2004, 05:06 PM
I'd recommend ...
2) Double check this against the 'Content Type'.
To get around both of those checks the user would really have to make an effort to conceal his/her true file type, and then even then if a browser tries to view the fake pdf file it will just come up with an error indicating the incorrect file format.
June 3rd, 2004, 09:18 PM
I could be wrong, but isn't #2 dependant upon #1? Thus, if I rename virus.exe to virus.pdf it should allow it right past the content checks.
If I'm wrong, let me know.
June 3rd, 2004, 10:43 PM
What I do for my upload script (Script) is just check the MIMEType (uses PHP). It seems to be an effective method for uploading. Also, you could do what mikester2 said and also check the extension.
Pooh sun tzu, if you name a file .exe it doesn't change it's ContentType/MIMEType. If you'd like to check, use my script (Script). To test it, create a text file then test its filetype. It should return text/plain. Now, rename the same file but change its extension to .exe. It should still return text/plain. If you'd like me to expand on this idea then just ask me. The only downside is I know PHP not ASP.
June 3rd, 2004, 10:51 PM
klassasin, I see what you mean, and would love something a bit more indepth to understand it. Is the MIMEType actually checking the file content? Or is it a signature within the file itself that registers it's ContentType?
June 3rd, 2004, 11:36 PM
June 4th, 2004, 03:08 PM
June 7th, 2004, 09:54 AM
Checking for the extension of the file and/or the mime-type isn't enough. Both can be faked pretty easy.
Remember that a blackhat will probably not use your upload page but will craft the response by hand.
Experience is something you don't get until just after you need it.
June 7th, 2004, 02:06 PM
The absolute best option would likely be to use a PDF library to load the PDF and ensure it is a valid PDF once it is uploaded to the server, and if not, just delete it. Not the quickest leanest solution, but really the best when you consider there is no other really accurate way to ensure the PDF is valid.
Which version of ASP is this?
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?