Introduction
Generally, we have seen that every web application has functionality like upload images and store those images into server. But before storing images into a server, they may be required to validate that image because there may be possible that user may upload malicious scripts.
Generally, we may check the extension of that uploaded file and denied that script file to upload on the server. But this validation is not enough to restrict upload malicious script because user will change the extension of that script and upload that file.
To resolve this problem, we should check the content of those images instead of file extension. Because if user changes file extension, the content of that file never changes.
Implementation
Now in this tip, we will see how to check content of the images and restrict user from uploading malicious script using a simple example. To check the content of the images, we will useSystem.Drawing.Image class.
Now, the first step is to create a simple web application in Visual Studio and add a Web From. Now add one file upload control and button. Markup of your default page looks like below:
<asp:FileUpload ID="FileUpload1" runat="server" /><br /><br />
<asp:Button Text="Save" runat="server" ID="butSave" onclick="butSave_Click" />
Now we need to write the below code in button click to validate images.
try
{
if (FileUpload1.HasFile)
{
System.Drawing.Image image = System.Drawing.Image.FromStream(FileUpload1.FileContent);
string FormetType = string.Empty;
if (image.RawFormat.Guid == System.Drawing.Imaging.ImageFormat.Tiff.Guid)
FormetType = "TIFF";
else if (image.RawFormat.Guid == System.Drawing.Imaging.ImageFormat.Gif.Guid)
FormetType = "GIF";
else if (image.RawFormat.Guid == System.Drawing.Imaging.ImageFormat.Jpeg.Guid)
FormetType = "JPG";
else if (image.RawFormat.Guid == System.Drawing.Imaging.ImageFormat.Bmp.Guid)
FormetType = "BMP";
else if (image.RawFormat.Guid == System.Drawing.Imaging.ImageFormat.Png.Guid)
FormetType = "PNG";
else if (image.RawFormat.Guid == System.Drawing.Imaging.ImageFormat.Icon.Guid)
FormetType = "ICO";
else
throw new System.ArgumentException("Invalid File Type");
lblMessage.Text = "File Format Is:" + FormetType;
}
}
catch (System.ArgumentException exp)
{
lblMessage.Text="Invalid File";
}
catch (Exception ex)
{
lblMessage.Text = ex.Message;
}
In the above code, we check whether user uploads any file, if yes then we will convert that file into image object. After converting into image object, we will check that image object RawFormat.GUID to check file content. We will check and compare that GUID with ImageFormat enum.
Using this, we can put some restriction that some image file types are only allowed not other than this. If user changes file extension but their RowFormat GUID’s never change, it will remain the same even after it’s extension changed. For example, if user changed gif file extension to jpg but its GUID never changed, it will remain the same which is in GIF.
In the above example, if user uploads any file other than images, it will generate ArgumentException while accessing its rowformat property so here we cannot allow to file other than images.
Conclusion
The goal of this tip is to just show you that we can validate image using its content rather than its file extension. Hope this will help you.
