Last post Jul 15, 2016 10:01 AM by Mikesdotnetting
Jul 15, 2016 02:32 AM|Gleeming|LINK
I am maintaining some code, and have been asked to look into any security flaws that might exists when the code allows for uploading an MS Excel file. Some of the code
Is shown below, and as you can see I am using the Microsoft Jet OLEDB4.0 provider.
The code is good in the sense that if someone tries to upload a malformed file, then an error message is displayed (I have no idea where it is coming from. Possibly deep inside the provider?). The error message is the following "External table is not in
the expected Format". How can I ensure that my code is more secure and that someone is not able to upload a malicious file? How can I test for a malicious file?
var XlsConStr = "Provide=Microsoft.Jet.OLEDB4.0;Data Source=" + fileSaveLocation + ";Extended Properties='Excel 8.0;HDR=Yes;IMEX=1';";
var cnXlsConnection = new OleDbConnection(XlsConStr);
Jul 15, 2016 10:01 AM|Mikesdotnetting|LINK
You can check the extension of the upload, but that won't necessarily prevent someone altering the extension of their malicious file. I would simply catch the exception when you try to open the file using JET and delete the file.