1

I've got a simple form:

@using (Html.BeginForm(null, null, FormMethod.Post, new { enctype="multipart/form-data" }))
{
    <input type="file" name="image" />
    <br />
    <input type="submit" value="Upload" />
}

which I'm posting to:

[HttpPost]
public ActionResult Upload(HttpPostedFileBase file)
{
    if (file.ContentLength > 0)
    {
        // All necessary validation logic here
    }

    return RedirectToAction("Index");
}

I'm trying to restrict uploaded files to jpeg, png and gif formats. I wan't to be able to restrict minimum and maximum width and height of the uploaded image as well as image filesize.

I guess I can check the size by simply changing if statement to:

if (file.ContentLength > 0 && file.ContentLength < maxUploadSize)

I know how to check the extension of the uploaded file but I would prefer to check its mime-type/header as well.

Question:

Given the example code above, how do I properly validate the uploaded file? I want to make sure that the file is:

  • a JPEG, GIF or a PNG file (checking file extension and file header)
  • not bigger than maximum upload size (file size)
  • of dimensions within predefined limit (width/height)
Improve this question
1

1 Answer 1

Reset to default
1

as you said, you should just validate image type by its file extension. since request header can be faked, it's not reliable.

for maximum upload size, you need to update your web.config or machine.config depending on your needs - app level or machine level.

for IIS6:

<location path="upload">
  <system.web>
    <httpRuntime maxRequestLength="xxx" />
  </system.web>
</location>

for IIS7: http://support.microsoft.com/kb/942074/

as for validating dimensions, you have to read in the image and check for its width and height properties and this is the constructor bitmap class to do that in-memory. if you want to save the image to file first, then use this one.

fine print: increasing this value may make you become a Denial of Service (DOS) attack victim as described here.

security measures:

  • one work around i can think of at this moment is setup another server/machine to handle file upload so your main web server is not taking the hit.
  • use <location path="my-upload-path"> to apply this setting to a single location.
  • consider using HttpHandler or HttpModule to handle upload.

i'll update my answer once i have a better solution than that.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I would not use maxRequestLength to limit the size of file uploads. Bad idea. Big side effects, and unfriendly errors. Also, file extensions can be altered more easily than request headers.
Not to mention that <httpRuntime maxRequestLength="xxx"/> doesn't increase the limit on IIS7+
@Andrew Barber, now i know the side effects (DOS or network brandwidth or others), so is there a better way to do it?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.