File Upload Security

Hi, guys.

I haven’t written for a while, but better late than never... So, what is the story?

In web development exist the problem with uploading files with malicious content, which can harm the server or the system (site) at all. The most common way to protect from this is to restrict file types by checking file extension and mime-types, and only allow certain types to be uploaded. But in some situation it’s not enough.
To start with brief explanation of what is mime-type and file extension. Mime-type (Multimedia Internet Mail Extensions) describes what kind of information file contains. In addition mime-types are used by web servers to specify file type when it responds to the browser's HTTP request (stored in HTTP header). Every browser interprets mime-type in its own way and every file may have more than one mime-type.
Everybody knows what the file extension is. It’s the same as mime-type, but it’s used by operating system to know the type of data in file and which program windows must use to open it. Some OS (UNIX) are not supporting file extensions.
To perform more security we may check not only mime-types and extension as well as file signature. Every file has unique characters in the first 20 bytes (may be less than 20 and not exactly consecutively). This data are presented in two forms – hexadecimal and ASCII text. Second one is not necessary to have sense (Pdf files have ASCII text “%PDF“, for example). To read file header from stream, you may use this C# code:

string hex = string.Empty;

int bytesToReading = (stream.Length < 20) ?

Convert.ToInt32(stream.Length) : 20;

Byte[] bytes = new byte[bytesToReading];

stream.Read(bytes, 0, bytesToReading);

for (int i = 0; i < bytesToReading; i++)

{

if (bytes[i] != 0)

{

hex += bytes[i].ToString("X");

}

}

stream.Position = stream.Seek(-bytesToReading, SeekOrigin.Current);

I’ll give a simple solution to put all this in your system. In xml file describes “file” objects, which will have extension, list of mime-types and list of possible hex signatures, which file may have. This information you can get form internet (http://www.garykessler.net/library/file_sigs.html, http://mark0.net/soft-trid-deflist.html). I recommend you to check signatures in more than one source. This xml file will collect “files”, which system will allow to be uploaded. Then parse the information from xml and fill it in static objects representing the xml structure. System will allow uploading a file, when his extension, mime-type and hex signature match with some of these with one from static “file” objects. And this simple solution will prevent unnecessary file uploading.

When searching the internet about this issue I found a very simple and useful tool called TrIDNet, which identify file by its content.

I will glad to hear your opinion about the problem.

Get Assembly Strong Name in Context Menu

Hi guys!

This will be my first topic in my “blogging career” and I hope it will be useful.

What is the main idea?

Maybe every .NET developer at times it is required to know the version of some assembly, or whether it’s signed or not. To get this you have to see the Strong Name of assembly, which it’s consisted from Name, Version Number, Culture and Public Key Token. And this will have to do it quite often. The way to do this is to open assembly in Reflector, Visual Studio or Dependency Killer (this is a great tool of my friend Vesko Kolev). My main idea is to create faster way to do this - application, which gives you option to get strong name of assembly in context menu of Windows.

To add something in context menu of Windows we have to get involved in windows registry. But what is this? Registry is “hierarchical database used in Microsoft to store information that is necessary to configure the system for one or more users, applications and hardware devices”. “Each branch is called a Key. Each key can contain other keys, as well as Values. Each value contains the actual information stored in the Registry.” All registries are stored in two files in your Windows directory, USER.DAT and SYSTEM.DAT. Don’t touch them!

Before you make any change of registry you have to create backup. Look here.

I created helping tool that added all you need in registry to get your command in context menu, which should start application that I previously mentioned.

You can download source code from here.

Only thing you have to do is to choose name of command and select full path to the executable file of the application (GetAssemblyStrongName.exe).

But what Registry Editor does in the background? I will show how you can do everything by yourself that Registry Editor does and that I will explain it.

1. Type regedit in Run window to open Registry Editor of Windows.

2. Go to “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfiles”

3. If there is no key with name “shell” you have to create it.

4. In “shell” key add other one with name, which you want to show in context menu. If placed not in “shell, the command name will not appear in context menu.

5. In the key, created in the previous step, create one more with the name “command”

6. In the key, created in the previous step, set the (Default) value data of “PATH_TO_THE_PROGRAM %1”, where PATH_TO_THE_PROGRAM is full path to GetAssemblyStrongName.exe.

This “%1” in the end of value data is placeholder for current file on which you click to show context menu. Actually I pass the full path of file as a command line argument on the application.

If you look at other keys in “HKEY_LOCAL_MACHINE\SOFTWARE\Classes” which corresponds to other extensions like “txtfile”, “mp3file”, etc. you will see the same keys structure that I described.

The application uses RegistryKey class in Microsoft.Win32 namespace to open and create registry key in the system. This class is disposable object and should be closed after you finish work with it. To set (Default) value data of key I am using SetValue method of RegistryKey class with first parameter empty string.

Last thing that I should explain is the Get Assembly Strong Name application. It is very simple and the only thing it does is to get command line argument and to show in textbox the information for assembly. For presentation I use Windows Forms. Here is the code.

Conclusion

In this topic I don’t show anything hard and revolutionary, but I want show you how can create something useful with not much efforts. And in the meantime you learn something.