Is it possible to deny file type?

Last post 09-09-2009, 9:24 PM by cutechat. 1 replies.
Sort Posts: Previous Next
  •  09-09-2009, 8:07 PM 55498

    Is it possible to deny file type?

    I saw that it is possible to filter the types of files that can be uploaded with the AllowedFileExtensions property.
    But it is possible to do the contrary, i.e. specifying a list of file extension that are not allowed? For example, I'd like to forbid *.exe, *.bat, *.zip ...
  •  09-09-2009, 9:24 PM 55499 in reply to 55498

    Re: Is it possible to deny file type?

    Hi,
     
    If you use this way , you must collect all kinds of the file types which can be executed on your server.
     
    if you miss one , your server will be hacked.
     
    1. <%@ Page Language="C#" Title="First sample" %>  
    2. <%@ Import Namespace="CuteWebUI" %>  
    3. <%@ Register TagPrefix="CuteWebUI" Namespace="CuteWebUI" Assembly="CuteWebUI.AjaxUploader" %>  
    4. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">  
    5.   
    6. <script runat="server">  
    7.   
    8.     string disabledExtList = "aspx,asp,ashx,html,htm,mht,exe,dll,php,jsp";   
    9.   
    10.     void InsertMsg(string msg)   
    11.     {   
    12.         ListBoxEvents.Items.Insert(0, msg);   
    13.         ListBoxEvents.SelectedIndex = 0;   
    14.     }   
    15.     protected void UploadAttachments1_AttachmentAdded(object sender, AttachmentItemEventArgs args)   
    16.     {   
    17.         InsertMsg("Added.." + args.Item.FileName);   
    18.     }   
    19.   
    20.     protected void UploadAttachments1_FileValidating(object sender, UploaderEventArgs args)   
    21.     {   
    22.         //validate the extensions , this is very important!   
    23.         //the client side validation is not safe , double check it here:   
    24.         string ext=Path.GetExtension(args.FileName).TrimStart('.').ToLower();   
    25.         ext = "," + ext + ",";   
    26.         string list="," + disabledExtList.ToLower() + ",";   
    27.         if (list.IndexOf(ext) != -1)   
    28.         {   
    29.             throw (new Exception("Invalid file type!"));   
    30.         }   
    31.     }   
    32. </script>  
    33.   
    34. <html xmlns="http://www.w3.org/1999/xhtml">  
    35. <head id="Head1" runat="server">  
    36. </head>  
    37. <body>  
    38.     <form id="Form1" runat="server">  
    39.         <script src="../PageUpload/TempSource.js"></script>  
    40.         <CuteWebUI:UploadAttachments runat="server" ID="UploadAttachments1" OnAttachmentAdded="UploadAttachments1_AttachmentAdded" OnFileValidating="UploadAttachments1_FileValidating">  
    41.         </CuteWebUI:UploadAttachments>  
    42.         <br />  
    43.         <div>  
    44.             Server Trace:   
    45.             <br />  
    46.             <asp:ListBox runat="server" ID="ListBoxEvents" Width="800"></asp:ListBox>  
    47.         </div>  
    48.     </form>  
    49.     <script type="text/javascript">  
    50.     var disabledExtList='<%=disabledExtList %>'  
    51.     </script>  
    52.     <script type="text/javascript">  
    53.     //validate the extensions in client side   
    54.     //this way is not safe , just for performance   
    55.     //try to disable it to test the server validation   
    56.     var useclientvalidation=true;   
    57.     function CuteWebUI_AjaxUploader_OnSelect(files)   
    58.     {   
    59.         if(useclientvalidation)   
    60.         {   
    61.             var list=","+disabledExtList+",";   
    62.             for(var i=0;i<files.length;i++)   
    63.             {   
    64.                 var item=files[i];   
    65.                 var size=item.FileSize;   
    66.                 var fps=item.FileName.split('.');   
    67.                 var ext=fps[fps.length-1].toLowerCase();   
    68.                 ext=","+ext+",";   
    69.                 if(list.indexOf(ext)!=-1)   
    70.                 {   
    71.                     item.Cancel();   
    72.                     alert("Javascript : Invalid file type : "+ext);   
    73.                 }   
    74.             }   
    75.         }   
    76.     }   
    77.     </script>  
    78.   
    79. </body>  
    80. </html>  

     
    Regards,
    Terry
     
View as RSS news feed in XML