以前发过一个.NET上传文件的方法的,不过那个方法中对文件类型的判断只是对后缀名来进行判断的,这样假如我把一个txt文本文件的后缀名改为jpg了也可以上传,这样无意中就造成了安全问题。
刚刚从网上找了个方法,试验了一下,是能够辨认出正确的文件类型的,如下:
刚刚从网上找了个方法,试验了一下,是能够辨认出正确的文件类型的,如下:
using
System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.IO;
public partial class niunantest : System.Web.UI.Page
{
protected void Page_Load( object sender, EventArgs e)
{
}
protected void Button1_Click( object sender, EventArgs e)
{
string str = FileUpload1.PostedFile.ContentType;
Response.Write( " 文件类型: " + str);
string filename = "" ;
FileExtension[] fe = { FileExtension.GIF, FileExtension.JPG, FileExtension.PNG };
if (FileValidation.IsAllowedExtension(FileUpload1, fe))
{
string fileExt = System.IO.Path.GetExtension(FileUpload1.FileName).ToLower();
Response.Write( " <br>验证通过! " );
// filename = "/Images/" + DateTime.Now.ToString("yyyyMMddHHmmss") + fileExt;
// FileUpload1.PostedFile.SaveAs(Server.MapPath(filename));
}
else
{
Response.Write( " <br>验证不通过,只支持以下格式的图片:JPG,GIF,PNG " );
return ;
}
}
public enum FileExtension
{
JPG = 255216 ,
GIF = 7173 ,
PNG = 13780 ,
SWF = 6787 ,
RAR = 8297 ,
ZIP = 8075 ,
_7Z = 55122
// 255216 jpg;
// 7173 gif;
// 6677 bmp,
// 13780 png;
// 6787 swf
// 7790 exe dll,
// 8297 rar
// 8075 zip
// 55122 7z
// 6063 xml
// 6033 html
// 239187 aspx
// 117115 cs
// 119105 js
// 102100 txt
// 255254 sql
}
public class FileValidation
{
public static bool IsAllowedExtension(FileUpload fu, FileExtension[] fileEx)
{
int fileLen = fu.PostedFile.ContentLength;
byte [] imgArray = new byte [fileLen];
fu.PostedFile.InputStream.Read(imgArray, 0 , fileLen);
MemoryStream ms = new MemoryStream(imgArray);
System.IO.BinaryReader br = new System.IO.BinaryReader(ms);
string fileclass = "" ;
byte buffer;
try
{
buffer = br.ReadByte();
fileclass = buffer.ToString();
buffer = br.ReadByte();
fileclass += buffer.ToString();
}
catch
{
}
br.Close();
ms.Close();
foreach (FileExtension fe in fileEx)
{
if (Int32.Parse(fileclass) == ( int )fe)
return true ;
}
return false ;
}
}
}
个人理解:上面的代码中判断文件类型的应该是把文件转成二进制的字节,然后取开头2个字节,这样看来的话开头2个字节就表示文件的类型...using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.IO;
public partial class niunantest : System.Web.UI.Page
{
protected void Page_Load( object sender, EventArgs e)
{
}
protected void Button1_Click( object sender, EventArgs e)
{
string str = FileUpload1.PostedFile.ContentType;
Response.Write( " 文件类型: " + str);
string filename = "" ;
FileExtension[] fe = { FileExtension.GIF, FileExtension.JPG, FileExtension.PNG };
if (FileValidation.IsAllowedExtension(FileUpload1, fe))
{
string fileExt = System.IO.Path.GetExtension(FileUpload1.FileName).ToLower();
Response.Write( " <br>验证通过! " );
// filename = "/Images/" + DateTime.Now.ToString("yyyyMMddHHmmss") + fileExt;
// FileUpload1.PostedFile.SaveAs(Server.MapPath(filename));
}
else
{
Response.Write( " <br>验证不通过,只支持以下格式的图片:JPG,GIF,PNG " );
return ;
}
}
public enum FileExtension
{
JPG = 255216 ,
GIF = 7173 ,
PNG = 13780 ,
SWF = 6787 ,
RAR = 8297 ,
ZIP = 8075 ,
_7Z = 55122
// 255216 jpg;
// 7173 gif;
// 6677 bmp,
// 13780 png;
// 6787 swf
// 7790 exe dll,
// 8297 rar
// 8075 zip
// 55122 7z
// 6063 xml
// 6033 html
// 239187 aspx
// 117115 cs
// 119105 js
// 102100 txt
// 255254 sql
}
public class FileValidation
{
public static bool IsAllowedExtension(FileUpload fu, FileExtension[] fileEx)
{
int fileLen = fu.PostedFile.ContentLength;
byte [] imgArray = new byte [fileLen];
fu.PostedFile.InputStream.Read(imgArray, 0 , fileLen);
MemoryStream ms = new MemoryStream(imgArray);
System.IO.BinaryReader br = new System.IO.BinaryReader(ms);
string fileclass = "" ;
byte buffer;
try
{
buffer = br.ReadByte();
fileclass = buffer.ToString();
buffer = br.ReadByte();
fileclass += buffer.ToString();
}
catch
{
}
br.Close();
ms.Close();
foreach (FileExtension fe in fileEx)
{
if (Int32.Parse(fileclass) == ( int )fe)
return true ;
}
return false ;
}
}
}