ASP.net文件上传器检查exe文件 [英] ASP.net File uploader check exe files
本文介绍了ASP.net文件上传器检查exe文件的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我在aspx页面上有一个上传器
i已经对.gif,.jpg等有效文件进行了验证.....
但是如果我更改了文件的扩展名,例如,如果有人想上传exe文件并将其扩展名更改为.gif文件,那么文件上传程序会上传它...
我该怎样才能防止使用文件上传器进行这些攻击???
I have a uploader in aspx page
i have done validations for valid files such as .gif,.jpg, etc.....
but if i changes the extension of a file for example if someone wants to upload exe files and changes its extension to .gif then the file uploader uploads it...
how can i prevent these sorts of attacks by using file uploader ???
推荐答案
你是完全正确的。你无法相信从客户端发送的内容。你必须自己检查。您需要的是通过文件内容检测mime类型。例如,在linux下使用了一个名为魔术字节的概念。在Windows下我找不到比urlmon.dll(Internet Explorer的一部分)更好的东西,你可以通过 p调用/调用 [ ^ ]。虽然已知类型列表 [ ^ ]不是那么长,在你的情况下就足够了。
这也可能很有趣: http://www.netomatix.com/Products/DocumentManagement/MimeDetector.aspx [ ^ ]
You are perfectly right. You can't belie in what is sent from client side. You have to check for yourself. What you need is detecting the mime type by the file content. There is a concept called "magic bytes" that is used under linux for example. Under windows I haven't found anything better than urlmon.dll (part of Internet Explorer), that you can call via p/invoke[^]. Although the list of known types[^] is not that long, it can be enough in your case.
This could be also interesting: http://www.netomatix.com/Products/DocumentManagement/MimeDetector.aspx[^]
一种做法:
Hi,
One way of Doing :
const int ERROR_BAD_EXE_FORMAT = 193;
try
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.UseShellExecute = false;
//psi.FileName = @"C:\\Region.xml";
psi.FileName = @"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe";
Process.Start(psi);
}
catch (Win32Exception ex)
{
if (ex.NativeErrorCode == ERROR_BAD_EXE_FORMAT)
{
// The exception message would be
// "The specified executable is not a valid application for this OS platform."
//
Console.WriteLine("Not a valid executable.");
}
else
{
throw;
}
}
这篇关于ASP.net文件上传器检查exe文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
