Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post Dec 29, 2012 02:22 PM by BrockAllen
Dec 28, 2012 09:16 PM|LINK
I'm developing a fairly conventional 4.0 web app with some equally conventional code to upload files to a varbinary(max) field in a sql database. Frankly we're not dealing with anything exciting. The users will mostly be authenticated through Active Directory
and the most of the machines used will be within a firewall. The most common file will probably be a Doc or a JPEG.
However I'm feeling just a little paranoid. We have hard-coded the app to prevent uploading of EXE files but I wonder if I should do more.
I just found this little gem. http://www.ttu.edu/safecomputing/lubbock/recommended/fileextensions.php
Is this an up-to-date list of potentially dangerous files or does someone have better?
Dec 28, 2012 09:56 PM|LINK
In the past when I've done this I've actually written the code to check the "magic number" for the types of file we allowed. Many file formats have the first few bytes as a well-known pattern to idenitty the file type.
For example, JPG is: ff d8
Dec 29, 2012 02:03 PM|LINK
Interesting, but just to be paranoid again, if it's a malware file how can you trust the 'magic number'?
(Just because you're paranoid doesn't mean they're not out to get you.)
Dec 29, 2012 02:22 PM|LINK
Sure... unfortunately I don't have a follow-up answer for you. Sorry :)