Avatar of GlobaLevel
GlobaLevel
Flag for United States of America asked on

ASP.NET - Concerned about File upload security

I am using the following code to upload files ...but I am concerned about security in the sense that its available to the public and I want to be sure only certain extentions can be user...txt or .csv...they are upload address info..but if a hacker comes along...they could upload a file that take over the system..any code to protect ..ideas?

FYI..the whole site has SSL on it..if that makes a difference...
<html>
<head>

    <script language="VB" runat="server">
    
    Sub Button1_Click(sender As Object, e As EventArgs)
        
        if FileUpLoad1.HasFile
            'Uncomment this line to Save the uploaded file
            'FileUpLoad1.SaveAs("C:\SomePhysicalPath" & FileUpLoad1.Filename)
            Label1.Text = "Received " & FileUpLoad1.FileName & " Content Type " & FileUpLoad1.PostedFile.ContentType & " Length " & FileUpLoad1.PostedFile.ContentLength
        else
            Label1.Text = "No uploaded file"
        end if    
        
    end sub
        
    </script>

</head>
<body>

    <h3><font face="Verdana">File Upload</font></h3>

    <form runat=server>

        <asp:FileUpLoad id="FileUpLoad1" AlternateText="You cannot upload files" runat="server" />
        <asp:Button id="Button1" Text="Upload" OnClick="Button1_Click" runat="server" />
        <asp:Label id="Label1" runat="server" />
    </form>

</body>
</html>

Open in new window

ASP.NETSecurityVulnerabilities

Avatar of undefined
Last Comment
Jerry Miller

8/22/2022 - Mon
Jerry Miller

Check out this msdn link:
http://msdn.microsoft.com/en-us/library/aa479405.aspx

It gives you some example on determining the file size and type before uploading.
GlobaLevel

ASKER
this is good stuff..thanks...I put an instr code piece b4 the file.upload puts the file on the server to scan for extentions.....

I like the <httpRuntime> ..but I donthave that in my web.config...can I add that? even though its not in there?  My users have to ave an account b4 they can upload..but im still being extra cautious...
ASKER CERTIFIED SOLUTION
Jerry Miller

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23