开发者

Standard Way Of Verifying Uploaded File Types

I am exposing a WCF service which allows a third party to upload files. It has been open until now as to what files you can upload as this is the first phase, but for phase two I might have to increase开发者_开发百科 security.

Is there an easy way in C# of verifying that a file is firstly not an exe, and that the file contents matches the extension?

I have logged the files that people have uploaded, and the first handful of bytes, and so far have come up with some info like this,

pdf 25 50 44 46 2D 31 2E
jpg FF D8 FF E0 00 10 4A 46 49 46 00 01
doc D0 CF 11 E0 A1 B1 1A E1 00 00 00 00 

etc. Is it a fixed number of bytes that determine what file type it is? Also is there a list of this type of data around.

Do I need to take the data I collect above and roll my own C# code to check the file, or are there existing libraries or code samples that do what I am after?


There's a quick overview of the .exe file format here. The first two bytes of the file will be the ASCII characters "MZ".

As for other file formats - you'll need to research these as needed - most file formats do include a header with so-called "magic bytes" that assist with identification - although this is no guarantee that the file is legit.


This seems quite good,

http://www.astro.keele.ac.uk/oldusers/rno/Computing/File_magic.html

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜