You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by struts lover <st...@yahoo.com> on 2004/10/24 20:19:31 UTC

file validation best practice

Hi Everyone,
I wanted to know what is the best practice for file
type validation. I want the user to allow to upload
only certain type of files and disallow all other
types. 
I am using Struts FormFile.

Any help would be appreciated.
Thanks.


		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: file validation best practice - Thanks everyone

Posted by struts lover <st...@yahoo.com>.

Thanks very much.

--- Joe Germuska <Jo...@Germuska.com> wrote:

> At 7:24 AM -0700 10/25/04, struts lover wrote:
> >Hello,
> >Thanks everyone for your interest and replies.
> Thanks
> >very much.
> >I had one more question. If I use getContentType()
> of
> >FormFile, does it give the same results on
> different
> >operating systems that is if the client is using
> >different operating systems.
> 
> Yes, the client determines by its own mechanisms
> what MIME type to 
> send.  For a specific example, MSIE insists on
> labeling all JPEG 
> images as "image/pjpeg".  This is annoying because
> we use a 
> third-party application which explodes when it tries
> to process 
> progressive JPEGs.  We've had to institute a process
> which "resaves" 
> all JPEGs explicitly as not-progressive.  It would
> be nice if MSIE 
> would tell the truth, so we could only use that
> process when we 
> really need it, although I suppose given how badly
> the third-party 
> app response to PJPEGs, it's probably safest that we
> do this anyway.
> 
> >Does the change in server OS affects the
> >getContentType() result.
> 
> No, it shouldn't, because it simply accepts whatever
> is sent by the client.
> 
> Joe
> 
> -- 
> Joe Germuska            
> Joe@Germuska.com  
> http://blog.germuska.com    
> "In fact, when I die, if I don't hear 'A Love
> Supreme,' I'll turn 
> back; I'll know I'm in the wrong place."
>     - Carlos Santana



		
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail 

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: file validation best practice - Thanks everyone

Posted by Joe Germuska <Jo...@Germuska.com>.

At 7:24 AM -0700 10/25/04, struts lover wrote:
>Hello,
>Thanks everyone for your interest and replies. Thanks
>very much.
>I had one more question. If I use getContentType() of
>FormFile, does it give the same results on different
>operating systems that is if the client is using
>different operating systems.

Yes, the client determines by its own mechanisms what MIME type to 
send.  For a specific example, MSIE insists on labeling all JPEG 
images as "image/pjpeg".  This is annoying because we use a 
third-party application which explodes when it tries to process 
progressive JPEGs.  We've had to institute a process which "resaves" 
all JPEGs explicitly as not-progressive.  It would be nice if MSIE 
would tell the truth, so we could only use that process when we 
really need it, although I suppose given how badly the third-party 
app response to PJPEGs, it's probably safest that we do this anyway.

>Does the change in server OS affects the
>getContentType() result.

No, it shouldn't, because it simply accepts whatever is sent by the client.

Joe

-- 
Joe Germuska            
Joe@Germuska.com  
http://blog.germuska.com    
"In fact, when I die, if I don't hear 'A Love Supreme,' I'll turn 
back; I'll know I'm in the wrong place."
    - Carlos Santana

Re: file validation best practice - Thanks everyone

Posted by struts lover <st...@yahoo.com>.

Hello,
Thanks everyone for your interest and replies. Thanks
very much.
I had one more question. If I use getContentType() of
FormFile, does it give the same results on different
operating systems that is if the client is using
different operating systems. 
Does the change in server OS affects the
getContentType() result.

Thanks once again.

--- Craig McClanahan <cr...@gmail.com> wrote:

> If your server is a Unix platform, one thing you
> could do is run the
> shell command "file" against the uploaded file, and
> take a look at the
> result.  This tool ignores any extension on the
> filename, and examines
> the content of the file itself against signature
> patterns it knows
> about.
> 
> Craig
> 
> 
> 
> On Sun, 24 Oct 2004 22:30:43 -0400, Bill Siggelkow
> <bi...@bellsouth.net> wrote:
> > I know of no way to deterministically discover
> what type of file the
> > user sent. There is nothing to prevent a user from
> taking a .exe file
> > and changing the extension to .txt or anything
> else ... others may have
> > a better idea ...
> > 
> > 
> > 
> > struts lover wrote:
> > 
> > > Thanks Bill.
> > > I had another question. What if the user has
> some .exe
> > > file with .doc extension. I mean
> somefile.exe.doc.
> > > How do I check the valid file type with the
> extension.
> > >
> > > Thanks once again.
> > >
> > > --- Bill Siggelkow <bi...@bellsouth.net>
> wrote:
> > >
> > >
> > >>U can set the accepted mime types on the input
> tag;
> > >>however, the browser
> > >>may not do anything with this information; so in
> > >>your ActionForm, I
> > >>suggest you validate the type by checking the
> > >>extension of the received
> > >>file name.
> > >>
> > >>struts lover wrote:
> > >>
> > >>
> > >>>Hi Everyone,
> > >>>I wanted to know what is the best practice for
> > >>
> > >>file
> > >>
> > >>>type validation. I want the user to allow to
> > >>
> > >>upload
> > >>
> > >>>only certain type of files and disallow all
> other
> > >>>types.
> > >>>I am using Struts FormFile.
> > >>>
> > >>>Any help would be appreciated.
> > >>>Thanks.
> > >>>
> > >>>
> > >>>
> > >>>_______________________________
> > >>>Do you Yahoo!?
> > >>>Declare Yourself - Register online to vote
> today!
> > >>>http://vote.yahoo.com
> > >>
> > >>
> > >>
> > >
>
---------------------------------------------------------------------
> > >
> > >>To unsubscribe, e-mail:
> > >>user-unsubscribe@struts.apache.org
> > >>For additional commands, e-mail:
> > >>user-help@struts.apache.org
> > >>
> > >>
> > >
> > >
> > >
> > >
> > >
> > > _______________________________
> > > Do you Yahoo!?
> > > Declare Yourself - Register online to vote
> today!
> > > http://vote.yahoo.com
> > 
> >
>
---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> user-unsubscribe@struts.apache.org
> > For additional commands, e-mail:
> user-help@struts.apache.org
> > 
> >
> 
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> user-unsubscribe@struts.apache.org
> For additional commands, e-mail:
> user-help@struts.apache.org
> 
> 



		
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: file validation best practice

Posted by Michael McGrady <mi...@michaelmcgrady.com>.

Also, there is JHOVE http://hul.harvard.edu/jhove/

Michael McGrady

Joe Germuska wrote:

>> If your server is a Unix platform, one thing you could do is run the
>> shell command "file" against the uploaded file, and take a look at the
>> result.  This tool ignores any extension on the filename, and examines
>> the content of the file itself against signature patterns it knows
>> about.
>
>
> For image, Marco Schmidt has some great 100% Java utilities that can 
> verify the uploaded image type and other information.
>
> http://www.geocities.com/marcoschmidt.geo/java-file-format-identification.html 
>
> http://www.geocities.com/marcoschmidt.geo/image-info.html
>
> Joe
>



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: file validation best practice

Posted by Joe Germuska <Jo...@Germuska.com>.

>If your server is a Unix platform, one thing you could do is run the
>shell command "file" against the uploaded file, and take a look at the
>result.  This tool ignores any extension on the filename, and examines
>the content of the file itself against signature patterns it knows
>about.

For image, Marco Schmidt has some great 100% Java utilities that can 
verify the uploaded image type and other information.

http://www.geocities.com/marcoschmidt.geo/java-file-format-identification.html
http://www.geocities.com/marcoschmidt.geo/image-info.html

Joe

-- 
Joe Germuska            
Joe@Germuska.com  
http://blog.germuska.com    
"In fact, when I die, if I don't hear 'A Love Supreme,' I'll turn 
back; I'll know I'm in the wrong place."
    - Carlos Santana

Re: file validation best practice

Posted by Craig McClanahan <cr...@gmail.com>.

If your server is a Unix platform, one thing you could do is run the
shell command "file" against the uploaded file, and take a look at the
result.  This tool ignores any extension on the filename, and examines
the content of the file itself against signature patterns it knows
about.

Craig



On Sun, 24 Oct 2004 22:30:43 -0400, Bill Siggelkow
<bi...@bellsouth.net> wrote:
> I know of no way to deterministically discover what type of file the
> user sent. There is nothing to prevent a user from taking a .exe file
> and changing the extension to .txt or anything else ... others may have
> a better idea ...
> 
> 
> 
> struts lover wrote:
> 
> > Thanks Bill.
> > I had another question. What if the user has some .exe
> > file with .doc extension. I mean somefile.exe.doc.
> > How do I check the valid file type with the extension.
> >
> > Thanks once again.
> >
> > --- Bill Siggelkow <bi...@bellsouth.net> wrote:
> >
> >
> >>U can set the accepted mime types on the input tag;
> >>however, the browser
> >>may not do anything with this information; so in
> >>your ActionForm, I
> >>suggest you validate the type by checking the
> >>extension of the received
> >>file name.
> >>
> >>struts lover wrote:
> >>
> >>
> >>>Hi Everyone,
> >>>I wanted to know what is the best practice for
> >>
> >>file
> >>
> >>>type validation. I want the user to allow to
> >>
> >>upload
> >>
> >>>only certain type of files and disallow all other
> >>>types.
> >>>I am using Struts FormFile.
> >>>
> >>>Any help would be appreciated.
> >>>Thanks.
> >>>
> >>>
> >>>
> >>>_______________________________
> >>>Do you Yahoo!?
> >>>Declare Yourself - Register online to vote today!
> >>>http://vote.yahoo.com
> >>
> >>
> >>
> > ---------------------------------------------------------------------
> >
> >>To unsubscribe, e-mail:
> >>user-unsubscribe@struts.apache.org
> >>For additional commands, e-mail:
> >>user-help@struts.apache.org
> >>
> >>
> >
> >
> >
> >
> >
> > _______________________________
> > Do you Yahoo!?
> > Declare Yourself - Register online to vote today!
> > http://vote.yahoo.com
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: file validation best practice

Posted by Bill Siggelkow <bi...@bellsouth.net>.

I know of no way to deterministically discover what type of file the 
user sent. There is nothing to prevent a user from taking a .exe file 
and changing the extension to .txt or anything else ... others may have 
a better idea ...

struts lover wrote:

> Thanks Bill.
> I had another question. What if the user has some .exe
> file with .doc extension. I mean somefile.exe.doc.
> How do I check the valid file type with the extension.
> 
> Thanks once again.
> 
> --- Bill Siggelkow <bi...@bellsouth.net> wrote:
> 
> 
>>U can set the accepted mime types on the input tag;
>>however, the browser 
>>may not do anything with this information; so in
>>your ActionForm, I 
>>suggest you validate the type by checking the
>>extension of the received 
>>file name.
>>
>>struts lover wrote:
>>
>>
>>>Hi Everyone,
>>>I wanted to know what is the best practice for
>>
>>file
>>
>>>type validation. I want the user to allow to
>>
>>upload
>>
>>>only certain type of files and disallow all other
>>>types. 
>>>I am using Struts FormFile.
>>>
>>>Any help would be appreciated.
>>>Thanks.
>>>
>>>
>>>		
>>>_______________________________
>>>Do you Yahoo!?
>>>Declare Yourself - Register online to vote today!
>>>http://vote.yahoo.com
>>
>>
>>
> ---------------------------------------------------------------------
> 
>>To unsubscribe, e-mail:
>>user-unsubscribe@struts.apache.org
>>For additional commands, e-mail:
>>user-help@struts.apache.org
>>
>>
> 
> 
> 
> 
> 		
> _______________________________
> Do you Yahoo!?
> Declare Yourself - Register online to vote today!
> http://vote.yahoo.com


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: file validation best practice

Posted by struts lover <st...@yahoo.com>.

Thanks Bill.
I had another question. What if the user has some .exe
file with .doc extension. I mean somefile.exe.doc.
How do I check the valid file type with the extension.

Thanks once again.

--- Bill Siggelkow <bi...@bellsouth.net> wrote:

> U can set the accepted mime types on the input tag;
> however, the browser 
> may not do anything with this information; so in
> your ActionForm, I 
> suggest you validate the type by checking the
> extension of the received 
> file name.
> 
> struts lover wrote:
> 
> > Hi Everyone,
> > I wanted to know what is the best practice for
> file
> > type validation. I want the user to allow to
> upload
> > only certain type of files and disallow all other
> > types. 
> > I am using Struts FormFile.
> > 
> > Any help would be appreciated.
> > Thanks.
> > 
> > 
> > 		
> > _______________________________
> > Do you Yahoo!?
> > Declare Yourself - Register online to vote today!
> > http://vote.yahoo.com
> 
> 
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> user-unsubscribe@struts.apache.org
> For additional commands, e-mail:
> user-help@struts.apache.org
> 
> 



		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: file validation best practice

Posted by Bill Siggelkow <bi...@bellsouth.net>.

U can set the accepted mime types on the input tag; however, the browser 
may not do anything with this information; so in your ActionForm, I 
suggest you validate the type by checking the extension of the received 
file name.

struts lover wrote:

> Hi Everyone,
> I wanted to know what is the best practice for file
> type validation. I want the user to allow to upload
> only certain type of files and disallow all other
> types. 
> I am using Struts FormFile.
> 
> Any help would be appreciated.
> Thanks.
> 
> 
> 		
> _______________________________
> Do you Yahoo!?
> Declare Yourself - Register online to vote today!
> http://vote.yahoo.com


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org