2

I was wondering if anyone can help, I sent ImageResizer and email about a week ago and as yet have not received a reply about my query. So hopefully someone from ImageResizer or a Stackoverflow member can answer my question.

I have the following code.

if (File != null && File.ContentLength > 0)
                    {
                        string extension = Path.GetExtension(File.FileName.ToLower());
                        var imageId = Guid.NewGuid();
                        if (extension == ".png" || extension== ".jpg" || extension == ".jpeg" || extension == ".gif")
                        {

                                var i = new ImageResizer.ImageJob(File, "~/uploads/" + imageId + ".<ext>",
                                    new ImageResizer.ResizeSettings("width=200;height=200;format=png;mode=max"))
                                {
                                    CreateParentDirectory = false
                                };

                                i.Build();            
                                GetValue(model, imageId);
                                return RedirectToAction("RegisterStepTwo", "Account");
                           // }

                          //  TempData["WrongImageFormat"] = "Image must be either png, jpeg/jpg or gif";
                          //  return View();



                        }
                        TempData["WrongImageFormat"] = "Image must be either png, jpeg/jpg or gif";
                        return View();
                    }

What I have read over the last week on this website and others is that to try and validate against an invalid image upload, change file name, resize and change extension.

The code above seems to do that, and I add my own Guid to add to database. If I create a invalid file in notepad add javascript and save it as a png, it returns the following error.

[ImageCorruptedException (0x80004005): File may be corrupted, empty, or may contain a PNG image with a single dimension greater than 65,535 pixels.]

So my question is, does the code above protect against invalid image uploads. Having read the docs here and else where on the website I cannot find the information I require.

Hopefully someone with a lot more experience than me can help with this question.

Improve this question

1 Answer 1

Reset to default
2

Re-encoding an image and stripping metadata is the best way to ensure that it can't retain any malicious content. ImageResizer does this by default.

However, it's just as important to make sure that image data is never interpreted as anything other than an image - which means controlling the final file extension, and ensuring that it is always served to clients with an image mime-type. Using ImageResizer's template paths is a good way to help with this - as you're doing. Never use the uploaded file name.

If you want to whitelist file extensions, Config.Current.Pipeline.AcceptedImageExtensions and Config.Current.Pipeline.IsAcceptedImageType(path) will help you determine if ImageResizer can support them as source formats. Output formats are always png, gif, jpeg, or webp (if WebPEncoder is installed), so you don't have to worry about that if you're using the <ext> path variable.

Rather than filter the upload file extension as you're doing, you might simply use a try{} catch{} block to capture any thrown ImageCorruptedException. It's not very informative to block uploads based on file extension; better to say that the file doesn't contain valid image data.

Also, I'm sorry we didn't receive your e-mail from last week; I cannot find any record of you asking about this prior to today.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Hi Computer Linguist, thanks for reply, I just sent another email tonight(today) with copy of my code. Once again thanks for your help, I will modify code as per your reply.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.