You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by struts lover <st...@yahoo.com> on 2004/10/24 20:19:31 UTC
file validation best practice
Hi Everyone,
I wanted to know what is the best practice for file
type validation. I want the user to allow to upload
only certain type of files and disallow all other
types.
I am using Struts FormFile.
Any help would be appreciated.
Thanks.
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: file validation best practice - Thanks everyone
Posted by struts lover <st...@yahoo.com>.
Thanks very much.
--- Joe Germuska <Jo...@Germuska.com> wrote:
> At 7:24 AM -0700 10/25/04, struts lover wrote:
> >Hello,
> >Thanks everyone for your interest and replies.
> Thanks
> >very much.
> >I had one more question. If I use getContentType()
> of
> >FormFile, does it give the same results on
> different
> >operating systems that is if the client is using
> >different operating systems.
>
> Yes, the client determines by its own mechanisms
> what MIME type to
> send. For a specific example, MSIE insists on
> labeling all JPEG
> images as "image/pjpeg". This is annoying because
> we use a
> third-party application which explodes when it tries
> to process
> progressive JPEGs. We've had to institute a process
> which "resaves"
> all JPEGs explicitly as not-progressive. It would
> be nice if MSIE
> would tell the truth, so we could only use that
> process when we
> really need it, although I suppose given how badly
> the third-party
> app response to PJPEGs, it's probably safest that we
> do this anyway.
>
> >Does the change in server OS affects the
> >getContentType() result.
>
> No, it shouldn't, because it simply accepts whatever
> is sent by the client.
>
> Joe
>
> --
> Joe Germuska
> Joe@Germuska.com
> http://blog.germuska.com
> "In fact, when I die, if I don't hear 'A Love
> Supreme,' I'll turn
> back; I'll know I'm in the wrong place."
> - Carlos Santana
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: file validation best practice - Thanks everyone
Posted by Joe Germuska <Jo...@Germuska.com>.
At 7:24 AM -0700 10/25/04, struts lover wrote:
>Hello,
>Thanks everyone for your interest and replies. Thanks
>very much.
>I had one more question. If I use getContentType() of
>FormFile, does it give the same results on different
>operating systems that is if the client is using
>different operating systems.
Yes, the client determines by its own mechanisms what MIME type to
send. For a specific example, MSIE insists on labeling all JPEG
images as "image/pjpeg". This is annoying because we use a
third-party application which explodes when it tries to process
progressive JPEGs. We've had to institute a process which "resaves"
all JPEGs explicitly as not-progressive. It would be nice if MSIE
would tell the truth, so we could only use that process when we
really need it, although I suppose given how badly the third-party
app response to PJPEGs, it's probably safest that we do this anyway.
>Does the change in server OS affects the
>getContentType() result.
No, it shouldn't, because it simply accepts whatever is sent by the client.
Joe
--
Joe Germuska
Joe@Germuska.com
http://blog.germuska.com
"In fact, when I die, if I don't hear 'A Love Supreme,' I'll turn
back; I'll know I'm in the wrong place."
- Carlos Santana
Re: file validation best practice - Thanks everyone
Posted by struts lover <st...@yahoo.com>.
Hello,
Thanks everyone for your interest and replies. Thanks
very much.
I had one more question. If I use getContentType() of
FormFile, does it give the same results on different
operating systems that is if the client is using
different operating systems.
Does the change in server OS affects the
getContentType() result.
Thanks once again.
--- Craig McClanahan <cr...@gmail.com> wrote:
> If your server is a Unix platform, one thing you
> could do is run the
> shell command "file" against the uploaded file, and
> take a look at the
> result. This tool ignores any extension on the
> filename, and examines
> the content of the file itself against signature
> patterns it knows
> about.
>
> Craig
>
>
>
> On Sun, 24 Oct 2004 22:30:43 -0400, Bill Siggelkow
> <bi...@bellsouth.net> wrote:
> > I know of no way to deterministically discover
> what type of file the
> > user sent. There is nothing to prevent a user from
> taking a .exe file
> > and changing the extension to .txt or anything
> else ... others may have
> > a better idea ...
> >
> >
> >
> > struts lover wrote:
> >
> > > Thanks Bill.
> > > I had another question. What if the user has
> some .exe
> > > file with .doc extension. I mean
> somefile.exe.doc.
> > > How do I check the valid file type with the
> extension.
> > >
> > > Thanks once again.
> > >
> > > --- Bill Siggelkow <bi...@bellsouth.net>
> wrote:
> > >
> > >
> > >>U can set the accepted mime types on the input
> tag;
> > >>however, the browser
> > >>may not do anything with this information; so in
> > >>your ActionForm, I
> > >>suggest you validate the type by checking the
> > >>extension of the received
> > >>file name.
> > >>
> > >>struts lover wrote:
> > >>
> > >>
> > >>>Hi Everyone,
> > >>>I wanted to know what is the best practice for
> > >>
> > >>file
> > >>
> > >>>type validation. I want the user to allow to
> > >>
> > >>upload
> > >>
> > >>>only certain type of files and disallow all
> other
> > >>>types.
> > >>>I am using Struts FormFile.
> > >>>
> > >>>Any help would be appreciated.
> > >>>Thanks.
> > >>>
> > >>>
> > >>>
> > >>>_______________________________
> > >>>Do you Yahoo!?
> > >>>Declare Yourself - Register online to vote
> today!
> > >>>http://vote.yahoo.com
> > >>
> > >>
> > >>
> > >
>
---------------------------------------------------------------------
> > >
> > >>To unsubscribe, e-mail:
> > >>user-unsubscribe@struts.apache.org
> > >>For additional commands, e-mail:
> > >>user-help@struts.apache.org
> > >>
> > >>
> > >
> > >
> > >
> > >
> > >
> > > _______________________________
> > > Do you Yahoo!?
> > > Declare Yourself - Register online to vote
> today!
> > > http://vote.yahoo.com
> >
> >
>
---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> user-unsubscribe@struts.apache.org
> > For additional commands, e-mail:
> user-help@struts.apache.org
> >
> >
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> user-unsubscribe@struts.apache.org
> For additional commands, e-mail:
> user-help@struts.apache.org
>
>
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: file validation best practice
Posted by Michael McGrady <mi...@michaelmcgrady.com>.
Also, there is JHOVE http://hul.harvard.edu/jhove/
Michael McGrady
Joe Germuska wrote:
>> If your server is a Unix platform, one thing you could do is run the
>> shell command "file" against the uploaded file, and take a look at the
>> result. This tool ignores any extension on the filename, and examines
>> the content of the file itself against signature patterns it knows
>> about.
>
>
> For image, Marco Schmidt has some great 100% Java utilities that can
> verify the uploaded image type and other information.
>
> http://www.geocities.com/marcoschmidt.geo/java-file-format-identification.html
>
> http://www.geocities.com/marcoschmidt.geo/image-info.html
>
> Joe
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: file validation best practice
Posted by Joe Germuska <Jo...@Germuska.com>.
>If your server is a Unix platform, one thing you could do is run the
>shell command "file" against the uploaded file, and take a look at the
>result. This tool ignores any extension on the filename, and examines
>the content of the file itself against signature patterns it knows
>about.
For image, Marco Schmidt has some great 100% Java utilities that can
verify the uploaded image type and other information.
http://www.geocities.com/marcoschmidt.geo/java-file-format-identification.html
http://www.geocities.com/marcoschmidt.geo/image-info.html
Joe
--
Joe Germuska
Joe@Germuska.com
http://blog.germuska.com
"In fact, when I die, if I don't hear 'A Love Supreme,' I'll turn
back; I'll know I'm in the wrong place."
- Carlos Santana
Re: file validation best practice
Posted by Craig McClanahan <cr...@gmail.com>.
If your server is a Unix platform, one thing you could do is run the
shell command "file" against the uploaded file, and take a look at the
result. This tool ignores any extension on the filename, and examines
the content of the file itself against signature patterns it knows
about.
Craig
On Sun, 24 Oct 2004 22:30:43 -0400, Bill Siggelkow
<bi...@bellsouth.net> wrote:
> I know of no way to deterministically discover what type of file the
> user sent. There is nothing to prevent a user from taking a .exe file
> and changing the extension to .txt or anything else ... others may have
> a better idea ...
>
>
>
> struts lover wrote:
>
> > Thanks Bill.
> > I had another question. What if the user has some .exe
> > file with .doc extension. I mean somefile.exe.doc.
> > How do I check the valid file type with the extension.
> >
> > Thanks once again.
> >
> > --- Bill Siggelkow <bi...@bellsouth.net> wrote:
> >
> >
> >>U can set the accepted mime types on the input tag;
> >>however, the browser
> >>may not do anything with this information; so in
> >>your ActionForm, I
> >>suggest you validate the type by checking the
> >>extension of the received
> >>file name.
> >>
> >>struts lover wrote:
> >>
> >>
> >>>Hi Everyone,
> >>>I wanted to know what is the best practice for
> >>
> >>file
> >>
> >>>type validation. I want the user to allow to
> >>
> >>upload
> >>
> >>>only certain type of files and disallow all other
> >>>types.
> >>>I am using Struts FormFile.
> >>>
> >>>Any help would be appreciated.
> >>>Thanks.
> >>>
> >>>
> >>>
> >>>_______________________________
> >>>Do you Yahoo!?
> >>>Declare Yourself - Register online to vote today!
> >>>http://vote.yahoo.com
> >>
> >>
> >>
> > ---------------------------------------------------------------------
> >
> >>To unsubscribe, e-mail:
> >>user-unsubscribe@struts.apache.org
> >>For additional commands, e-mail:
> >>user-help@struts.apache.org
> >>
> >>
> >
> >
> >
> >
> >
> > _______________________________
> > Do you Yahoo!?
> > Declare Yourself - Register online to vote today!
> > http://vote.yahoo.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: file validation best practice
Posted by Bill Siggelkow <bi...@bellsouth.net>.
I know of no way to deterministically discover what type of file the
user sent. There is nothing to prevent a user from taking a .exe file
and changing the extension to .txt or anything else ... others may have
a better idea ...
struts lover wrote:
> Thanks Bill.
> I had another question. What if the user has some .exe
> file with .doc extension. I mean somefile.exe.doc.
> How do I check the valid file type with the extension.
>
> Thanks once again.
>
> --- Bill Siggelkow <bi...@bellsouth.net> wrote:
>
>
>>U can set the accepted mime types on the input tag;
>>however, the browser
>>may not do anything with this information; so in
>>your ActionForm, I
>>suggest you validate the type by checking the
>>extension of the received
>>file name.
>>
>>struts lover wrote:
>>
>>
>>>Hi Everyone,
>>>I wanted to know what is the best practice for
>>
>>file
>>
>>>type validation. I want the user to allow to
>>
>>upload
>>
>>>only certain type of files and disallow all other
>>>types.
>>>I am using Struts FormFile.
>>>
>>>Any help would be appreciated.
>>>Thanks.
>>>
>>>
>>>
>>>_______________________________
>>>Do you Yahoo!?
>>>Declare Yourself - Register online to vote today!
>>>http://vote.yahoo.com
>>
>>
>>
> ---------------------------------------------------------------------
>
>>To unsubscribe, e-mail:
>>user-unsubscribe@struts.apache.org
>>For additional commands, e-mail:
>>user-help@struts.apache.org
>>
>>
>
>
>
>
>
> _______________________________
> Do you Yahoo!?
> Declare Yourself - Register online to vote today!
> http://vote.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: file validation best practice
Posted by struts lover <st...@yahoo.com>.
Thanks Bill.
I had another question. What if the user has some .exe
file with .doc extension. I mean somefile.exe.doc.
How do I check the valid file type with the extension.
Thanks once again.
--- Bill Siggelkow <bi...@bellsouth.net> wrote:
> U can set the accepted mime types on the input tag;
> however, the browser
> may not do anything with this information; so in
> your ActionForm, I
> suggest you validate the type by checking the
> extension of the received
> file name.
>
> struts lover wrote:
>
> > Hi Everyone,
> > I wanted to know what is the best practice for
> file
> > type validation. I want the user to allow to
> upload
> > only certain type of files and disallow all other
> > types.
> > I am using Struts FormFile.
> >
> > Any help would be appreciated.
> > Thanks.
> >
> >
> >
> > _______________________________
> > Do you Yahoo!?
> > Declare Yourself - Register online to vote today!
> > http://vote.yahoo.com
>
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> user-unsubscribe@struts.apache.org
> For additional commands, e-mail:
> user-help@struts.apache.org
>
>
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: file validation best practice
Posted by Bill Siggelkow <bi...@bellsouth.net>.
U can set the accepted mime types on the input tag; however, the browser
may not do anything with this information; so in your ActionForm, I
suggest you validate the type by checking the extension of the received
file name.
struts lover wrote:
> Hi Everyone,
> I wanted to know what is the best practice for file
> type validation. I want the user to allow to upload
> only certain type of files and disallow all other
> types.
> I am using Struts FormFile.
>
> Any help would be appreciated.
> Thanks.
>
>
>
> _______________________________
> Do you Yahoo!?
> Declare Yourself - Register online to vote today!
> http://vote.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org