I'm developing a fairly conventional 4.0 web app with some equally conventional code to upload files to a varbinary(max) field in a sql database. Frankly we're not dealing with anything exciting. The users will mostly be authenticated through Active Directory
and the most of the machines used will be within a firewall. The most common file will probably be a Doc or a JPEG.
However I'm feeling just a little paranoid. We have hard-coded the app to prevent uploading of EXE files but I wonder if I should do more.
I just found this little gem. http://www.ttu.edu/safecomputing/lubbock/recommended/fileextensions.php
Is this an up-to-date list of potentially dangerous files or does someone have better?
In the past when I've done this I've actually written the code to check the "magic number" for the types of file we allowed. Many file formats have the first few bytes as a well-known pattern to idenitty the file type.
bchernick
Member
110 Points
267 Posts
Best practices with regards to file uploads
Dec 28, 2012 09:16 PM|LINK
I'm developing a fairly conventional 4.0 web app with some equally conventional code to upload files to a varbinary(max) field in a sql database. Frankly we're not dealing with anything exciting. The users will mostly be authenticated through Active Directory and the most of the machines used will be within a firewall. The most common file will probably be a Doc or a JPEG.
However I'm feeling just a little paranoid. We have hard-coded the app to prevent uploading of EXE files but I wonder if I should do more.
I just found this little gem. http://www.ttu.edu/safecomputing/lubbock/recommended/fileextensions.php
Is this an up-to-date list of potentially dangerous files or does someone have better?
BrockAllen
All-Star
27554 Points
4912 Posts
MVP
Re: Best practices with regards to file uploads
Dec 28, 2012 09:56 PM|LINK
In the past when I've done this I've actually written the code to check the "magic number" for the types of file we allowed. Many file formats have the first few bytes as a well-known pattern to idenitty the file type.
https://en.wikipedia.org/wiki/File_format#Magic_number
For example, JPG is: ff d8
https://en.wikipedia.org/wiki/JPEG
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
bchernick
Member
110 Points
267 Posts
Re: Best practices with regards to file uploads
Dec 29, 2012 02:03 PM|LINK
Interesting, but just to be paranoid again, if it's a malware file how can you trust the 'magic number'?
(Just because you're paranoid doesn't mean they're not out to get you.)
BrockAllen
All-Star
27554 Points
4912 Posts
MVP
Re: Best practices with regards to file uploads
Dec 29, 2012 02:22 PM|LINK
Sure... unfortunately I don't have a follow-up answer for you. Sorry :)
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/