Support forums - Re: Is it possible to deny file type?

Support forums » Products » Ajax Uploader » Re: Is it possible to deny file type?

Re: Is it possible to deny file type?

09-09-2009, 9:24 PM

cutechat
Joined on 07-22-2004
Posts 2,332

Re: Is it possible to deny file type?

Reply Quote

Hi,

If you use this way , you must collect all kinds of the file types which can be executed on your server.

if you miss one , your server will be hacked.

<%@ Page Language="C#" Title="First sample" %>
<%@ Import Namespace="CuteWebUI" %>
<%@ Register TagPrefix="CuteWebUI" Namespace="CuteWebUI" Assembly="CuteWebUI.AjaxUploader" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">

string disabledExtList = "aspx,asp,ashx,html,htm,mht,exe,dll,php,jsp";

void InsertMsg(string msg)
	{
		ListBoxEvents.Items.Insert(0, msg);
		ListBoxEvents.SelectedIndex = 0;
	}
	protected void UploadAttachments1_AttachmentAdded(object sender, AttachmentItemEventArgs args)
	{
		InsertMsg("Added.." + args.Item.FileName);
	}

protected void UploadAttachments1_FileValidating(object sender, UploaderEventArgs args)
	{
		//validate the extensions , this is very important!
		//the client side validation is not safe , double check it here:
		string ext=Path.GetExtension(args.FileName).TrimStart('.').ToLower();
		ext = "," + ext + ",";
		string list="," + disabledExtList.ToLower() + ",";
		if (list.IndexOf(ext) != -1)
		{
			throw (new Exception("Invalid file type!"));
		}
	}
</script>

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1" runat="server">
</head>
<body>
	<form id="Form1" runat="server">
		<script src="../PageUpload/TempSource.js"></script>
		<CuteWebUI:UploadAttachments runat="server" ID="UploadAttachments1" OnAttachmentAdded="UploadAttachments1_AttachmentAdded" OnFileValidating="UploadAttachments1_FileValidating">
		</CuteWebUI:UploadAttachments>
		<br />
		<div>
			Server Trace:
			<br />
			<asp:ListBox runat="server" ID="ListBoxEvents" Width="800"></asp:ListBox>
		</div>
	</form>
	<script type="text/javascript">
	var disabledExtList='<%=disabledExtList %>'
	</script>
	<script type="text/javascript">
	//validate the extensions in client side
	//this way is not safe , just for performance
	//try to disable it to test the server validation
	var useclientvalidation=true;
	function CuteWebUI_AjaxUploader_OnSelect(files)
	{
		if(useclientvalidation)
		{
			var list=","+disabledExtList+",";
			for(var i=0;i<files.length;i++)
			{
				var item=files[i];
				var size=item.FileSize;
				var fps=item.FileName.split('.');
				var ext=fps[fps.length-1].toLowerCase();
				ext=","+ext+",";
				if(list.indexOf(ext)!=-1)
				{
					item.Cancel();
					alert("Javascript : Invalid file type : "+ext);
				}
			}
		}
	}
	</script>

</body>
</html>

<%@ Page Language="C#" Title="First sample" %>
<%@ Import Namespace="CuteWebUI" %>
<%@ Register TagPrefix="CuteWebUI" Namespace="CuteWebUI" Assembly="CuteWebUI.AjaxUploader" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
<script runat="server">
string disabledExtList = "aspx,asp,ashx,html,htm,mht,exe,dll,php,jsp";
void InsertMsg(string msg)
{
ListBoxEvents.Items.Insert(0, msg);
ListBoxEvents.SelectedIndex = 0;
}
protected void UploadAttachments1_AttachmentAdded(object sender, AttachmentItemEventArgs args)
{
InsertMsg("Added.." + args.Item.FileName);
}
protected void UploadAttachments1_FileValidating(object sender, UploaderEventArgs args)
{
//validate the extensions , this is very important!
//the client side validation is not safe , double check it here:
string ext=Path.GetExtension(args.FileName).TrimStart('.').ToLower();
ext = "," + ext + ",";
string list="," + disabledExtList.ToLower() + ",";
if (list.IndexOf(ext) != -1)
{
throw (new Exception("Invalid file type!"));
}
}
</script>
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1" runat="server">
</head>
<body>
<form id="Form1" runat="server">
<script src="../PageUpload/TempSource.js"></script>
<CuteWebUI:UploadAttachments runat="server" ID="UploadAttachments1" OnAttachmentAdded="UploadAttachments1_AttachmentAdded" OnFileValidating="UploadAttachments1_FileValidating">
</CuteWebUI:UploadAttachments>
<br />
<div>
Server Trace:
<br />
<asp:ListBox runat="server" ID="ListBoxEvents" Width="800"></asp:ListBox>
</div>
</form>
<script type="text/javascript">
var disabledExtList='<%=disabledExtList %>'
</script>
<script type="text/javascript">
//validate the extensions in client side
//this way is not safe , just for performance
//try to disable it to test the server validation
var useclientvalidation=true;
function CuteWebUI_AjaxUploader_OnSelect(files)
{
if(useclientvalidation)
{
var list=","+disabledExtList+",";
for(var i=0;i<files.length;i++)
{
var item=files[i];
var size=item.FileSize;
var fps=item.FileName.split('.');
var ext=fps[fps.length-1].toLowerCase();
ext=","+ext+",";
if(list.indexOf(ext)!=-1)
{
item.Cancel();
alert("Javascript : Invalid file type : "+ext);
}
}
}
}
</script>
</body>
</html>

Regards,
Terry

View Complete Thread