How to restrict/validate file upload filetypes server side on IIS

asp.net asp.net-mvc asp.net-mvc-3 iis file-upload
11,106

Solution 1

Since you are wanting server side you could use the files mime type.

THIS post shows how to determine the MIME type based on the files contents (instead of by the extension).

If you do want to limit the input to SPECIFIC file extension you could simply check the input name against what you want to accept. If this passes you could do an xref against the library in the post I linked to make sure the user didn't just change the file extension on you.

Doing this would provide a pretty good degree of certainty that the file is one that you want to accept!

EDIT: Based on comments so far.... Based on what you have said you are looking for this method should work quite nicely for you. My suggestion if you are simply wanting to limit it to the types of files listed in one of you comments... Do a simple check on the file extension. If that is valid then pass the file to the urlmon.dll listed in the link. Make sure it doesn't come back as an invalid type....aka Executable/java/zip/etc. If it isn't an invalid type then you will have a very high degree of certainty that it is a safe file!

Lastly, reading through the comments on that post it looks like the urlmon.dll might support all the file types you are wanting implicitly which would remove the need to check that it isn't an executable or something of that nature, but you would need to confirm the doc/docx/xsl/xslx do return a valid mime type.

Solution 2

No, there is no web.config setting to restrict what gets uploaded. The only possible way to validate uploaded data is to actually validate that data in code.

Even if there were a setting, it would be useless anyway because it would be based on the Content-Type headers received from the client, which can be quite wrong.

In code, you can certainly look at the Content-Type header, but if you're trying to validate that the uploaded data is of a specific type, you're going to have to do so manually, based on what kind of data you are expecting. For an image, this is easy. For other file types, it can be a lot harder.

Share:
11,106
Alexandre Jobin
Author by

Alexandre Jobin

Updated on June 24, 2022

Comments

  • Alexandre Jobin
    Alexandre Jobin almost 2 years

    I would like to have a whitelist of filetypes that users are authorized to upload to my IIS server (im using IIS v7.5).

    What is the options that i have? For example, to restrict filesize to 5MB for a specific action in my controller, i added this section to my webconfig:

    <location path="home/fileupload">
  <system.web>
    <!-- maxRequestLength is in kilobytes (KB) -->
    <httpRuntime maxRequestLength="5120" /> <!-- 5MB -->
  </system.web>
  <system.webServer>
    <security>
      <requestFiltering>
        <!-- maxAllowedContentLength is in bytes -->
        <requestLimits maxAllowedContentLength="5242880"/> <!-- 5MB -->
      </requestFiltering>
    </security>
  </system.webServer>
</location>

    Is there an option in the webconfig to set a whitelist of allowed filetypes? Or is the only option is to validate the filetypes in code when the file is fully uploaded? What is the recommended technics? How can i be sure that the .docx, .pdf, .jpg, etc are really what they are?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to disable server-side caching on IIS 7.5 (asp net mvc3)
How do I deploy MVC3 Hello World App to localhost and configure IIS
IIS returns 404 for ASP.NET MVC3 file (.cshtml)
Configuring IIS (Windows 7) for ASP.NET / ASP.NET MVC 3
double escape sequence inside a url : The request filtering module is configured to deny a request that contains a double escape sequence
ASP.NET MVC issue with configuration of forms authentication section
Strange ValidateInputIfRequiredByConfig error
Multiple selction in Dropdownlist of asp.net MVC 3
ASP.Net MVC 3 Login and Windows Authentication
In Mvc 3 razor view what is the best way to conditionally render html based on Nulls in the model