Hi
I just checked the ASP.NET2 HttpPostedFile implementation.
The ASP.NET2 do not check the file data, the HttpPostedFile.ContentType is parsed from the file header "Content-Type" .
I also made a test , If I rename a test.zip to test.txt , and upload it , the ContentType is 'application/x-zip-compressed'
So , the IE detect the mimetype , not the IIS.
( http://msdn2.microsoft.com/en-us/library/ms775147.aspx )
But even IE would correct the mimetype , the server side should not trust it.
Because the client can send invalid/animus data/info by using tool (not using browser).
So the uploader can only keep the file extension as safe as possible , but not the mime/data .
The best way to check that whether a file is an image , is try to convert the file data to the GDI Image object.
I think that is not the function of our Uploader , the developer should do that.
Maybe we can add mime check for the Uploader, that can help some advanced developers ,
but that would hurt some developers who are not familiar with the mime issue.
Regards , Terry .