To store an image on the server, before storing it we must validate the image because the user might upload a malicious script. These malicious scripts can result in cross-site scripting (XSS) that is a type of computer security vulnerability. Due to breaches of browser security, XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.
We check the extension of uploaded files and denied files to upload it on the server. But this kind of validation is not enough to restrict a malicious script because the user can change the extension of that file and upload the same onto the server. To resolve this problem we check the contents of the file before uploading it. Nevertheless there is another problem that could exist if the website has constraints on the image format. For example the website has the constraint that allows only PNG images to be uploaded, but the user has a JPEG image format. However the user can change the extension of JPEG to PNG and upload it to the server.
String ext= Path.GetExtension(fuControl.PostedFile.FileName);
To resolve all problems relevant to image validation depending on their extension, we propose the usage of GUID image formats. The GUID for each image format is already defined in the "System.Drawing.Imaging" namespace. Hence it is easy to check each image.
Step 1: To check for the type of extension of file or Content of the file
System.Drawing.Image imgObj= System.Drawing.Image.FromStream (fuControl.FileContent);
If (imgObj.RawFormat.Guid==System.Drawing.Imaging.ImageFormat.Jpeg.Guid)
//Write your code here if image has jpeg format
else If (imgObj.RawFormat.Guid==System.Drawing.Imaging.ImageFormat.Gif.Guid)
//Write your code here if image has gif format
else If (imgObj.RawFormat.Guid==System.Drawing.Imaging.ImageFormat.Png.Guid)
//Write your code here if image has png format
else If (imgObj.RawFormat.Guid==System.Drawing.Imaging.ImageFormat.Icon.Guid)
//Write your code here if image has ico format
else If (imgObj.RawFormat.Guid==System.Drawing.Imaging.ImageFormat.Bmp.Guid)
//Write your code here if image has bmp format
else
// Invalid Format
|
Step 2: This is used to perform a check for the maximum size of the file
if ((( fuControl.PostedFile.ContentLength)/1024) > MaxFileSizeinKB)
Where fuControl is file upload control
MaxFileSizeinKB is the property of the validator that has the maximum limit
|
1. extensions of Image from predefined list of images
2. Size of image
Reference(s)
http://msdn.microsoft.com
http://www.codeproject.com