p2p.wrox.com Forums

p2p.wrox.com Forums (http://p2p.wrox.com/index.php)
-   Javascript How-To (http://p2p.wrox.com/forumdisplay.php?f=87)
-   -   How do I validate file upload? (http://p2p.wrox.com/showthread.php?t=54218)

grstad February 17th, 2007 04:19 PM

How do I validate file upload?
 
Hei!

How do I validate file upload? I want clients to only upload .gif or .jpeg.

Mvh
grstad [:I]

Dj Kat February 17th, 2007 07:44 PM

Hi,

Why don't u do this serverside? You can always disable javascript so its not the most secure method.



__________________________________________________ ________
I am DJ Kat...that's my name. Its a D and a J and a Kat with a K.

Greg Griffiths February 17th, 2007 10:16 PM

it does seem to be possible (http://www.cs.tut.fi/~jkorpela/forms/file.html#filter) gives some guidance on this, but I would also validate it on the server side just to be sure as I guess browser support for this will be limited and if you use the JS approach is can always be turned off.

mat41 February 18th, 2007 08:44 PM

I mean really; how many of you people reading this post have javascript completley disabled? If so, is your web site also free of JS? This forum we all spend so much time on uses it along with most of the computing world, why is this? This is why we hire security experts and pay senior network guys so much money, they put things in place to stop JS reated intrusions.

For anybody who would like a client side solution, this one works a treat:

    function validate(formName,fieldName)
    {
       if ((/.(gif|jpe?g)$/i.test(document.[formName].[fieldName].value))==false)
       {
           alert('You may only upload .jpg, .jpeg, or .gif images (in case sensitive)');
           return (false);
       }
           return(true);
    }

Wind is your friend
Matt

Imar February 19th, 2007 02:31 PM

Hi Matt,

I don't think this is about the user's experience and whether they have JavaScript enabled or not. I agree that most people have that, so you should be comfortable in using it.

However, this is much more about security. I'd be a little nervous if people could just upload any file. As a malicious user, it's very easy to bypass JavaScript validation and upload other kind of files.

Consider this ASP file:

<%
dim fs
Set fs=Server.CreateObject("Scripting.FileSystemObject ")
fs.DeleteFile("c:\SomeImportantFile.txt")
%>

Next, I upload this to a folder called Uploads that only checks the extension with JavaScript. I disable script, and upload the file as Test.asp.

Now, guess what happens when I request:

www.yourdomain.com/Uploads/Test.asp

Gone is your precious file SomeImportantFile.txt

This is just a simple example but I have seen entire script libraries that do crazy stuff, like:

1. Use FTP.exe to FTP files away
2. Move import system files under the webroot so they can be downloaded
3. Delete important files so you get error info that may lead to other information.

You can do anything that ASP allows you to do under the current credentials.

Point is: don't trust user input. It's nice to use client validation as a courtesy to users so they get immediate feedback ("sorry this file extension is not allowed", even before they upload it), but ALWAYS check stuff at the server as well. CONSIDER ALL USER INPUT AS EVIL (and you know I usually don't shout in this forum).

Imar
---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.

mat41 February 19th, 2007 09:15 PM

Hello there Imar - point understood and taken. A usual your input is brilliance...

Wind is your friend
Matt

Imar February 20th, 2007 01:40 PM

;) Thank you.... and you're welcome....

Imar
---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.

grstad February 20th, 2007 04:59 PM

...is it possible to set restrictions (gif/jpeg or what ever) on directory level? I do guess the answer is no, but then it is all this odd questions of mine!

What are all the pro sites do to handle file upload ol? Is it an easy task when programming, not scripting?

Mvh
grstad [:I]

Imar February 20th, 2007 05:46 PM

You can limit the access rights of the application / virtual directory in IIS to read only.

That way, you can avoid files from being executed. But obviously, you should still validate the files to some extend when they are uploaded.

Cheers,

Imar
---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.

grstad February 21st, 2007 09:20 AM

...but Imar, regarding your post 02/19/2007 1:31:25, how can you decide which folder (uploads) to upload the bad files into?

"Next, I upload this to a folder called Uploads that only checks the extension with JavaScript. I disable script, and upload the file as Test.asp."

Is it that easy to get access to any folder on disks across the net? How can you find any foldernames on the current server?

Mvh
grstad [:I]

Let me know if my questions are irrelevant...


All times are GMT -4. The time now is 11:40 PM.

Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.