如何限制/验证文件上传文件类型的IIS服务器端 [英] How to restrict/validate file upload filetypes server side on IIS

问题描述

我想有用户被授权上传到我的IIS服务器的文件类型（使用IIS 7.5版IM）。

I would like to have a whitelist of filetypes that users are authorized to upload to my IIS server (im using IIS v7.5).

什么是，我有选择吗？例如，要限制文件大小为5MB在我的控制器中的具体行动，我添加了这部分到我的webconfig：

What is the options that i have? For example, to restrict filesize to 5MB for a specific action in my controller, i added this section to my webconfig:

<location path="home/fileupload">
  <system.web>
    <!-- maxRequestLength is in kilobytes (KB) -->
    <httpRuntime maxRequestLength="5120" /> <!-- 5MB -->
  </system.web>
  <system.webServer>
    <security>
      <requestFiltering>
        <!-- maxAllowedContentLength is in bytes -->
        <requestLimits maxAllowedContentLength="5242880"/> <!-- 5MB -->
      </requestFiltering>
    </security>
  </system.webServer>
</location>

有没有在webconfig的选项来设置文件类型允许的白名单中？或者是唯一的选择是验证在code中的文件类型时，文件全部上传？什么是推荐的工艺？我怎么能肯定的是，.DOCX，.PDF，.JPG等都是真的，他们是什么？

Is there an option in the webconfig to set a whitelist of allowed filetypes? Or is the only option is to validate the filetypes in code when the file is fully uploaded? What is the recommended technics? How can i be sure that the .docx, .pdf, .jpg, etc are really what they are?

推荐答案

既然你想要的服务器端，你可以使用这些文件的MIME类型。

Since you are wanting server side you could use the files mime type.

<一个href=\"http://stackoverflow.com/questions/58510/using-net-how-can-you-find-the-mime-type-of-a-file-based-on-the-file-signature\">THIS交的显示如何确定基于所述文件的内容（而非由扩展）的MIME类型。

THIS post shows how to determine the MIME type based on the files contents (instead of by the extension).

如果你想限制输入到特定的文件扩展名，你可以简单地检查输入的名字对你要接受的东西。如果通过，你可以做一个对外部参照在后我联系，以确保用户不只是改变你的文件扩展名的库。

If you do want to limit the input to SPECIFIC file extension you could simply check the input name against what you want to accept. If this passes you could do an xref against the library in the post I linked to make sure the user didn't just change the file extension on you.

这样做将提供一个pretty好度的把握，该文件是要接受一个！

Doing this would provide a pretty good degree of certainty that the file is one that you want to accept!

编辑：根据评论到目前为止....
根据你说你正在寻找这个方法应该很好地为你工作。我的建议，如果你只是想限制它在你的评论一家上市的文件类型...请在文件扩展名的简单的检查。如果是有效的，则通过该文件中的链接所列出的 urlmon.dll中。请确保它不回来为无效类型....又名可执行/ JAVA / ZIP /等。如果它不是一个无效的类型，那么你将有一个非常高度的肯定，这是一个安全的文件！

Based on comments so far.... Based on what you have said you are looking for this method should work quite nicely for you. My suggestion if you are simply wanting to limit it to the types of files listed in one of you comments... Do a simple check on the file extension. If that is valid then pass the file to the urlmon.dll listed in the link. Make sure it doesn't come back as an invalid type....aka Executable/java/zip/etc. If it isn't an invalid type then you will have a very high degree of certainty that it is a safe file!

最后，通过阅读该帖子它看起来像注释的 urlmon.dll中可支持所有你想要隐含的文件类型，这将删除需要检查它不是一个可执行文件或类似这种事情，但你需要确认DOC / DOCX / XSL / XSLX做返回一个有效的MIME类型。

Lastly, reading through the comments on that post it looks like the urlmon.dll might support all the file types you are wanting implicitly which would remove the need to check that it isn't an executable or something of that nature, but you would need to confirm the doc/docx/xsl/xslx do return a valid mime type.

这篇关于如何限制/验证文件上传文件类型的IIS服务器端的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！