If anyone change the file extension from .jpg to .doc and try to upload the file into server.
The below code will validate the file content for .doc, .xls, .txt, .pdf, .docx, .xlsx
public bool EsCabeceraPDF(string fileName)
{
string ext = Path.GetExtension(fileName);
byte[] buffer = null;
FileStream fs = new FileStream(fileName, FileMode.Open, FileAccess.Read);
BinaryReader br = new BinaryReader(fs);
long numBytes = new FileInfo(fileName).Length;
// validate the pdf content
if (ext.ToLower() == ".pdf")
{
//%PDF−1.0
// If you are loading it into a long, this is (0x04034b50).
buffer = br.ReadBytes(5);
var enc = new ASCIIEncoding();
var header = enc.GetString(buffer);
if (buffer[0] == 0x25 && buffer[1] == 0x50
&& buffer[2] == 0x44 && buffer[3] == 0x46)
{
//return header.StartsWith("%PDF-");
return true;
}
}
// validate the doc and xls content
else if (ext.ToLower() == ".doc" || ext.ToLower() == ".xls")
{
buffer = br.ReadBytes(8);
var enc = new ASCIIEncoding();
var header = enc.GetString(buffer);
if (buffer[0] == 0xD0 && buffer[1] == 0xCF
&& buffer[2] == 0x11 && buffer[3] == 0xE0 && buffer[4] == 0xA1 && buffer[5] == 0xB1
&& buffer[6] == 0x1A && buffer[7] == 0xE1)
{
return true;
}
}
// validate the docx and xlsx content
else if (ext.ToLower() == ".docx" || ext.ToLower() == ".xlsx")
{
buffer = br.ReadBytes(8);
var enc = new ASCIIEncoding();
var header = enc.GetString(buffer);
if (buffer[0] == 0x50 && buffer[1] == 0x4B
&& buffer[2] == 0x03 && buffer[3] == 0x04 && buffer[4] == 0x14 && buffer[5] == 0x00
&& buffer[6] == 0x06 && buffer[7] == 0x00)
{
return true;
}
}
// validate the txt content
else if (ext.ToLower() == ".txt")
{
bool txt=true;
string _strnewcontent = string.Empty;
StreamReader _objreader = new StreamReader(fileName);
string _filetxt = string.Empty;
_filetxt = _objreader.ReadToEnd();
if (_filetxt != "")
{
_strnewcontent = _objcls.SQL_Inject(_filetxt);
string[] BlockList = { "--", ";--", ";", "@@", "/*", "*/", "alter", "begin", "create", "cursor", "declare", "delete", "drop", "exec", "execute", "fetch", "having", "insert", "open", "from", "select", "table", "union", "update", "procedure", "proc", "function", "<", ">", "script","_SCRIP" };
string temp_str3;
//Str1 = StrIn.Trim().ToLower();
for (int i = 0; i <= BlockList.Length - 1; i++)
{
temp_str3 = BlockList[i].ToString().Trim().ToLower();
//if (Str1.ToUpper().Contains(BlockList[i].ToUpper()))
if (_strnewcontent.Contains(temp_str3))
{
txt= false;
}
}
}
return txt;
}
return false;
}
The below code will validate the file content for .doc, .xls, .txt, .pdf, .docx, .xlsx
public bool EsCabeceraPDF(string fileName)
{
string ext = Path.GetExtension(fileName);
byte[] buffer = null;
FileStream fs = new FileStream(fileName, FileMode.Open, FileAccess.Read);
BinaryReader br = new BinaryReader(fs);
long numBytes = new FileInfo(fileName).Length;
// validate the pdf content
if (ext.ToLower() == ".pdf")
{
//%PDF−1.0
// If you are loading it into a long, this is (0x04034b50).
buffer = br.ReadBytes(5);
var enc = new ASCIIEncoding();
var header = enc.GetString(buffer);
if (buffer[0] == 0x25 && buffer[1] == 0x50
&& buffer[2] == 0x44 && buffer[3] == 0x46)
{
//return header.StartsWith("%PDF-");
return true;
}
}
// validate the doc and xls content
else if (ext.ToLower() == ".doc" || ext.ToLower() == ".xls")
{
buffer = br.ReadBytes(8);
var enc = new ASCIIEncoding();
var header = enc.GetString(buffer);
if (buffer[0] == 0xD0 && buffer[1] == 0xCF
&& buffer[2] == 0x11 && buffer[3] == 0xE0 && buffer[4] == 0xA1 && buffer[5] == 0xB1
&& buffer[6] == 0x1A && buffer[7] == 0xE1)
{
return true;
}
}
// validate the docx and xlsx content
else if (ext.ToLower() == ".docx" || ext.ToLower() == ".xlsx")
{
buffer = br.ReadBytes(8);
var enc = new ASCIIEncoding();
var header = enc.GetString(buffer);
if (buffer[0] == 0x50 && buffer[1] == 0x4B
&& buffer[2] == 0x03 && buffer[3] == 0x04 && buffer[4] == 0x14 && buffer[5] == 0x00
&& buffer[6] == 0x06 && buffer[7] == 0x00)
{
return true;
}
}
// validate the txt content
else if (ext.ToLower() == ".txt")
{
bool txt=true;
string _strnewcontent = string.Empty;
StreamReader _objreader = new StreamReader(fileName);
string _filetxt = string.Empty;
_filetxt = _objreader.ReadToEnd();
if (_filetxt != "")
{
_strnewcontent = _objcls.SQL_Inject(_filetxt);
string[] BlockList = { "--", ";--", ";", "@@", "/*", "*/", "alter", "begin", "create", "cursor", "declare", "delete", "drop", "exec", "execute", "fetch", "having", "insert", "open", "from", "select", "table", "union", "update", "procedure", "proc", "function", "<", ">", "script","_SCRIP" };
string temp_str3;
//Str1 = StrIn.Trim().ToLower();
for (int i = 0; i <= BlockList.Length - 1; i++)
{
temp_str3 = BlockList[i].ToString().Trim().ToLower();
//if (Str1.ToUpper().Contains(BlockList[i].ToUpper()))
if (_strnewcontent.Contains(temp_str3))
{
txt= false;
}
}
}
return txt;
}
return false;
}
No comments:
Post a Comment