Topbar
Topbar
Sign in
|
Join
|
Client Center
Home
Products
Client Center
Contact
Purchase
Support forums
»
Products
»
Ajax Uploader
»
How to allow users to upload all files types except certain files types asp,php
How to allow users to upload all files types except certain files types asp,php
Last post 04-23-2009, 6:05 PM by
AshMach
. 4 replies.
Sort Posts:
Oldest to newest
Newest to oldest
Previous
Next
04-17-2009, 6:36 AM
51197
cassini
Joined on 11-27-2008
Posts 24
How to allow users to upload all files types except certain files types asp,php
Reply
Quote
Hi, the problem with AllowedFilesExtensions is inclusive not exclusive , it allows to upload certain files but what if we want to upload all files types except asp,php?
Thank you.
04-17-2009, 8:33 AM
51204
in reply to
51197
cutechat
Joined on 07-22-2004
Posts 2,332
Re: How to allow users to upload all files types except certain files types asp,php
Reply
Quote
Hi,
I think that is not a good idea , because :
1. We are not able to generate the filter for dialogs
2. It's hard to find all dangerous extensions for server.
Regards,
Terry
04-17-2009, 4:06 PM
51226
in reply to
51204
cassini
Joined on 11-27-2008
Posts 24
Re: How to allow users to upload all files types except certain files types asp,php
Reply
Quote
we have the list of the files that can harm the server this is not a big deal! Why not checking the extension of each files type instead of trying to filter the dialogs.
04-19-2009, 11:47 PM
51239
in reply to
51226
cutechat
Joined on 07-22-2004
Posts 2,332
Re: How to allow users to upload all files types except certain files types asp,php
Reply
Quote
Hi,
This is a sample for your request
<
%@ Page
Language
=
"C#"
Title
=
"First sample"
%
>
<
%@ Import
Namespace
=
"CuteWebUI"
%
>
<
%@ Register
TagPrefix
=
"CuteWebUI"
Namespace
=
"CuteWebUI"
Assembly
=
"CuteWebUI.AjaxUploader"
%
>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd"
>
<
script
runat
=
"server"
>
string
disabledExtList
=
"aspx,asp,ashx,html,htm,mht,exe,dll,php,jsp"
;
void InsertMsg(string msg)
{
ListBoxEvents.Items.Insert(0, msg);
ListBoxEvents.SelectedIndex
=
0
;
}
protected void UploadAttachments1_AttachmentAdded(object sender, AttachmentItemEventArgs args)
{
InsertMsg("Added.." + args.Item.FileName);
}
protected void UploadAttachments1_FileValidating(object sender, UploaderEventArgs args)
{
//validate the extensions , this is very important!
//the client side validation is not safe , double check it here:
string
ext
=
Path
.GetExtension(args.FileName).TrimStart('.').ToLower();
ext
=
","
+ ext + ",";
string
list
=
","
+ disabledExtList.ToLower() + ",";
if (list.IndexOf(ext) != -1)
{
throw (new Exception("Invalid file type!"));
}
}
</
script
>
<
html
xmlns
=
"http://www.w3.org/1999/xhtml"
>
<
head
id
=
"Head1"
runat
=
"server"
>
</
head
>
<
body
>
<
form
id
=
"Form1"
runat
=
"server"
>
<
CuteWebUI:UploadAttachments
runat
=
"server"
ID
=
"UploadAttachments1"
OnAttachmentAdded
=
"UploadAttachments1_AttachmentAdded"
OnFileValidating
=
"UploadAttachments1_FileValidating"
>
</
CuteWebUI:UploadAttachments
>
<
br
/>
<
div
>
Server Trace:
<
br
/>
<
asp:ListBox
runat
=
"server"
ID
=
"ListBoxEvents"
Width
=
"800"
>
</
asp:ListBox
>
</
div
>
</
form
>
<
script
type
=
"text/javascript"
>
var
disabledExtList
=
'<%=disabledExtList %>'
</
script
>
<
script
type
=
"text/javascript"
>
//validate the extensions in client side
//this way is not safe , just for performance
//try to disable it to test the server validation
var
useclientvalidation
=
false
;
function CuteWebUI_AjaxUploader_OnSelect(files)
{
if(useclientvalidation)
{
var
list
=
","
+disabledExtList+",";
for(var
i
=
0
;i
<
files.length
;i++)
{
var
fps
=
files
[ i ].FileName.split('.');
var
ext
=
fps
[fps.length-1].toLowerCase();
ext
=
","
+ext+",";
if(list.indexOf(ext)!=-1)
{
alert("Javascript : Invalid file type : "+ext);
//cancel it.
return false;
}
}
}
}
</
script
>
</
body
>
</
html
>
Regards,
Terry
04-23-2009, 6:05 PM
51462
in reply to
51239
AshMach
Joined on 08-15-2008
Posts 3
Re: How to allow users to upload all files types except certain files types asp,php
Reply
Quote
Hi Terry, do you think just checking file extensions is safe? What about spoofed files? See my thread at
http://cutesoft.net/forums/permalink/51461/51461/ShowThread.aspx#51461
Regards, Ash