How to allow users to upload all files types except certain files types asp,php

Last post 04-23-2009, 6:05 PM by AshMach. 4 replies.
Sort Posts: Previous Next
  •  04-17-2009, 6:36 AM 51197

    How to allow users to upload all files types except certain files types asp,php

    Hi, the problem with AllowedFilesExtensions is inclusive not exclusive , it allows to upload certain files but what if we want to upload all files types except asp,php?
     
    Thank you.
  •  04-17-2009, 8:33 AM 51204 in reply to 51197

    Re: How to allow users to upload all files types except certain files types asp,php

    Hi,
     
    I think that is not a good idea , because :
     
    1. We are not able to generate the filter for dialogs
     
    2. It's hard to find all dangerous extensions for server.
     
    Regards,
    Terry
     
  •  04-17-2009, 4:06 PM 51226 in reply to 51204

    Re: How to allow users to upload all files types except certain files types asp,php

    we have the list of the files that can harm the server this is not a big deal! Why not checking the extension of each files type instead of trying to filter the dialogs.
  •  04-19-2009, 11:47 PM 51239 in reply to 51226

    Re: How to allow users to upload all files types except certain files types asp,php

    Hi,
     
    This is a sample for your request
     
    1. <%@ Page Language="C#" Title="First sample" %>  
    2. <%@ Import Namespace="CuteWebUI" %>  
    3. <%@ Register TagPrefix="CuteWebUI" Namespace="CuteWebUI" Assembly="CuteWebUI.AjaxUploader" %>  
    4. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">  
    5.   
    6. <script runat="server">  
    7.   
    8.     string disabledExtList = "aspx,asp,ashx,html,htm,mht,exe,dll,php,jsp";   
    9.   
    10.     void InsertMsg(string msg)   
    11.     {   
    12.         ListBoxEvents.Items.Insert(0, msg);   
    13.         ListBoxEvents.SelectedIndex = 0;   
    14.     }   
    15.     protected void UploadAttachments1_AttachmentAdded(object sender, AttachmentItemEventArgs args)   
    16.     {   
    17.         InsertMsg("Added.." + args.Item.FileName);   
    18.     }   
    19.   
    20.     protected void UploadAttachments1_FileValidating(object sender, UploaderEventArgs args)   
    21.     {   
    22.         //validate the extensions , this is very important!   
    23.         //the client side validation is not safe , double check it here:   
    24.         string ext=Path.GetExtension(args.FileName).TrimStart('.').ToLower();   
    25.         ext = "," + ext + ",";   
    26.         string list="," + disabledExtList.ToLower() + ",";   
    27.         if (list.IndexOf(ext) != -1)   
    28.         {   
    29.             throw (new Exception("Invalid file type!"));   
    30.         }   
    31.     }   
    32. </script>  
    33.   
    34. <html xmlns="http://www.w3.org/1999/xhtml">  
    35. <head id="Head1" runat="server">  
    36. </head>  
    37. <body>  
    38.     <form id="Form1" runat="server">  
    39.         <CuteWebUI:UploadAttachments runat="server" ID="UploadAttachments1" OnAttachmentAdded="UploadAttachments1_AttachmentAdded" OnFileValidating="UploadAttachments1_FileValidating">  
    40.         </CuteWebUI:UploadAttachments>  
    41.         <br />  
    42.         <div>  
    43.             Server Trace:   
    44.             <br />  
    45.             <asp:ListBox runat="server" ID="ListBoxEvents" Width="800"></asp:ListBox>  
    46.         </div>  
    47.     </form>  
    48.     <script type="text/javascript">  
    49.     var disabledExtList='<%=disabledExtList %>'  
    50.     </script>  
    51.     <script type="text/javascript">  
    52.     //validate the extensions in client side   
    53.     //this way is not safe , just for performance   
    54.     //try to disable it to test the server validation   
    55.     var useclientvalidation=false;   
    56.     function CuteWebUI_AjaxUploader_OnSelect(files)   
    57.     {   
    58.         if(useclientvalidation)   
    59.         {   
    60.             var list=","+disabledExtList+",";   
    61.             for(var i=0;i<files.length;i++)   
    62.             {   
    63.                 var fps=files[ i ].FileName.split('.');   
    64.                 var ext=fps[fps.length-1].toLowerCase();   
    65.                 ext=","+ext+",";   
    66.                 if(list.indexOf(ext)!=-1)   
    67.                 {   
    68.                     alert("Javascript : Invalid file type : "+ext);   
    69.                     //cancel it.   
    70.                     return false;   
    71.                 }   
    72.             }   
    73.         }   
    74.     }   
    75.     </script>  
    76.   
    77. </body>  
    78. </html>  

    Regards,
    Terry
     
     
  •  04-23-2009, 6:05 PM 51462 in reply to 51239

    Re: How to allow users to upload all files types except certain files types asp,php

    Hi Terry, do you think just checking file extensions is safe?   What about spoofed files?  See my thread at
     
    http://cutesoft.net/forums/permalink/51461/51461/ShowThread.aspx#51461
     
    Regards, Ash
View as RSS news feed in XML