I have developed File Upload web page in ASP.NET. Now user can rename a .exe file to txt or some other extension and upload the same. I want to restrict that. How I can implement that in ASP.NET?
The only safe way to do this is to get the byte [] from the file that has been posted and examine it to determine if the file is indeed in one of the formats you allow the user to upload. You don't need to save the file, you can just get the byte[] from the HttpPostedFile object.
Other than examining the content (looking for magic numbers, for example) there isn't an infallible way to make sure that the user is not attempting to upload something that you don't allow.
Related
I am developing a .NET intranet site which will enable the user to see a list of files (file details stored in DB) and link to the actual PDF/XML/XLS and open it... kind of like a table of contents for the network.
During data entry, the user enters various data about a document, then browses to the file on the network and selects it using the asp:FileUpload. The codebehind then saves the network path to the DB. There is alot of overhead here because i'm sending the file to the server but never use it.
Everything has been working fine until someone tries to use a large PDF file then I get the dreaded MAXIMUM REQUEST LENGTH EXCEEDED error... So I'm trying to find a solution here... I do not need the actual file.. just the path and filename.
I know not all browsers send the full path but our systems have older browsers so everything is working fine now, but will probably break soon.. which is another reason to find a different solution.
I've looked into Javascript to pull the path but that won't work...
Any other ideas? Other ways to just grab the path and filename? (besides manually typing it in to a Text field)
Thanks,
Todd.
This may help too
How to get the full path of a file from asp: file upload?
string filename = Path.GetFileName(FileUpload1.FileName);//file name
string path= Server.MapPath(filename);//path
I have an ASP.NET 2 application and would like users to upload a file to be processed immediately. The file never needs to be used again, so I don't care to store it on the server as a file somewhere, which hopefully will make it more secure on our end.
Basically, they upload an excel file and I process it and display some results. I do not care to save that excel file for later.
How can I do this?
You can hold the file contents in a MemoryStream.
This will ensure it is not saved to disk.
See What is the best practice for storing a file upload to a MemoryStream (C#)? for details.
In my asp.net web application i have to convert resx file to excelfile and then i should provide an option to download the converted file. I have done the download function using response.Addheader method. Now i wanted to display statics to the user of how many keys are converted from resx file to excel file.
I have placed an label to display no of keys migrated but the code is not exceuted after response.end. Pls help me to get this done
Thanks
Rm
Short answer is that you cannot send some output once the response has closed.
Now to achieve what you want to do, you have to emit statistics along with link to download the actual excel file. For example,
Convert the file and store results into file system. You should use some random key (such as guid) for generating the file name.
Output statistics that you want to show to the user.
In the same output, emit a start-up java-script that would redirect the browser to the url that will download the file generated in step1 - the file name key will useful for creating such URL.
In rare cases where JS doesn't work or re-direct takes more time, The output from #2 should also contain a link that will allow user to download the file manually (the link will be accompanied with some friendly message)
In our application , we are using asp.net FileUpload control to upload files.
Requirement is , user should be able to upload only ".doc, .xls , .pdf" files.
System should not allow him to upload other files. To achieve this we are validating the extension of the uploaded file. If it is not valid then throwing error message.. this works fine..
But if i change the any exe file as .doc file , then system is allowing to upload. this should not happen.
Is there any way to validate the file with its content instead of its extension ..?
Check out this question/answer on stackoverflow. I belive this is a duplicate question.
Also, look into reading a file's magic number especially if you are just trying to determine if the file is one of a few acceptable types. Magic number Wikipedia
Uploadify is a good file uploading tool that I have found which allows you to specify which extensions you allow the user to see when uploading their files. It also has alot of other cool options and it is highly customizeable. It uses a combination of jquery and flash to allow the user to upload more than one file at a time as well (if desired).
I have a WebPage where I am giving the option to to Export the Form data to PDF. I am creating the PDF at run time and store the PDF in a "PDF" folder which is under my application directory. After creating the PDF with the SessionID name I Call following function to show the PDF file in the new browser window:
ResponseHelper.Redirect(Response, "~/PDF/" + Session.SessionID + ".pdf", "_Blank", "");
This PDF contains the private information related to the logged in user. Therefore, I want a way to delete this PDF file once it is shown in the browser to the user. This is because the IIS server allows whole development team to view this folder which is a security risk, and we can't disallow user to view this folder on the server.
Therefore, if I could delete this file as soon as it is loaded in the browser could be a solution of this security risk.
Can anyone suggest some better ways of deleting this file as soon as possbile from the application?
Thanks,
Praveen
what i guess is you are creating PDF file on runtime using Itext and then you save that PDF file in temp directory to show it to user... why don't you use
Response.WriteFile(PDFFILE);
this will write the whole file on the stream without saving it in temp folder.
One way is to write an ashx handler which streams the pdf to the browser, then deletes it when done.
Another, and much better way, is to simply build the PDF in memory (NOT using session) and stream it as soon as it's ready.
UPDATE
I'm doing this with a slightly modified version of iTextSharp. Basically, iTextSharp performed all of it's operations in memory, then saved the file to disk. I changed this to return the memory stream. All the code is already there, it was really just a line or two that had to change.
Then, I used a response.binarywrite to push the stream directly to the browser. viola! no files on disk.
An ashx handler is just like an aspx page, only it has one entry point and doesn't do all of the page processing garbage. It's light weight and communicates back to the browser by response.write calls.