防止在c#中上传双文件扩展文件 [英] Prevent double file Extension file upload in c#
问题描述
如何阻止用户上传包含双重扩展名的文件
赞
Abc.exe.csv
i想要允许用户只上传.csv文件。
string ext = System.IO.Path.GetExtension(FileUpload1.Filename);
当我上传Abc.exe.csv时返回.csv扩展名
但实际文件是exe。
绕过扩展检查。
你可以检查多少次。出现在文件名中。如果它超过1,则拒绝该文件。
有几种方法可以计算字符串中出现的次数。
使用LINQ:
int count = FileUpload1.Filename.Count(f = > f == ' 。');
或者通过拆分成数组并计算元素数量:
int count = FileUpload1.Filename.Split(' 。')。长度 - 1 ;
您是否只关心上传可执行文件的双重扩展?
我的意思是用户可以上传名为'Sample.exe.csv'的可执行文件,但也没有什么能阻止他将其重命名为'Sample.csv'。
尽管如此如果你我真的只想检查你可以使用的双扩展名:
string ext = Path.GetExtension(
Path.GetFileNameWithoutExtension(
this .FileUpload1.FileName));
bool hasExecutableExtension = ext.Equals( 。exe,StringComparison.InvariantCultureIgnoreCase);
但是为了检查文件是否可执行,你应该评估它的签名,可执行文件具有MZ作为签名。所以你可以使用这样的东西:
bool isExecutableFile = this .FileUpload1.FileBytes.Length > 1 &&
this .FileUpload1.FileBytes [ 0 ] == 0x4D&&
this .FileUpload1.FileBytes [ 1 ] == 0x5A;
但对我来说这是一种不安全的方法,我会做的就是尝试解析它,毕竟我认为你可能想要处理它的内容。
或者至少在以下几行中有些内容(但请注意,以下代码段会假设您的有效CSV应至少有两行,并使用逗号作为分隔符):
使用( var reader = new StreamReader( this .FileUpload1.FileContent))
{
string firstRow = reader.ReadLine();
if ( string .IsNullOrEmpty(firstRow))
返回;
string secondRow = reader.ReadLine();
if ( string .IsNullOrEmpty(secondRow))
返回;
int firstColumnCount = firstRow.Split(' ,)长度。
if (firstColumnCount < 2 )
return ;
int secondColumnCount = secondRow.Split(' ,)长度。
if (secondColumnCount!= firstColumnCount)
return ;
// 用它做点什么......
}
How to prevent user to Upload files containing double extension
Like
Abc.exe.csv
i want to allow user to upload only .csv file.
string ext=System.IO.Path.GetExtension(FileUpload1.Filename);
when i'm uploading Abc.exe.csv it returning .csv extension
but actual file is exe.
which is bypassing Extension check.
You could check how many times "." appears in the filename. If it has more than 1, reject the file.
There are a couple of ways to count the number of occurrences in a string.
Using LINQ:
int count = FileUpload1.Filename.Count(f => f == '.');
Or by splitting into an array and counting the number of elements:
int count = FileUpload1.Filename.Split('.').Length - 1;
Are you concerned only for double extensions of are you concerned with executable file being uploaded?
I mean a user can upload an executable file named 'Sample.exe.csv', but also nothing stops him from renaming it to 'Sample.csv'.
Nevertheless in case you really want to check only double extensions you can use this:
string ext = Path.GetExtension( Path.GetFileNameWithoutExtension( this.FileUpload1.FileName)); bool hasExecutableExtension = ext.Equals(".exe", StringComparison.InvariantCultureIgnoreCase);
But in order to check if a file is executable you should evaluate its signature, executable files have "MZ" as a signature. So you can use something like this:
bool isExecutableFile = this.FileUpload1.FileBytes.Length > 1 && this.FileUpload1.FileBytes[0] == 0x4D && this.FileUpload1.FileBytes[1] == 0x5A;
But to me this is all an unsafe approach, what I would do is try to parse it, after all I presume you will probably want to process its content.
Or at least something in the lines of the following (but note that the following snippet makes some assumptions like your valid CSV should have at least two rows and use comma as a separator):
using (var reader = new StreamReader(this.FileUpload1.FileContent)) { string firstRow = reader.ReadLine(); if (string.IsNullOrEmpty(firstRow)) return; string secondRow = reader.ReadLine(); if (string.IsNullOrEmpty(secondRow)) return; int firstColumnCount = firstRow.Split(',').Length; if (firstColumnCount < 2) return; int secondColumnCount = secondRow.Split(',').Length; if (secondColumnCount != firstColumnCount) return; // Do something with it ... }
这篇关于防止在c#中上传双文件扩展文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
