aspose file tools*
The moose likes Servlets and the fly likes checking content type of file upload? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "checking content type of file upload?" Watch "checking content type of file upload?" New topic
Author

checking content type of file upload?

marten kay
Ranch Hand

Joined: Feb 03, 2007
Posts: 178

I am uploading a file from a HTML form to a servlet, and I am seeking the best way to check the content type of the uploaded file. The type (rather than the subtype) is particularly important as the type affects how the file is handled by the system. So what are the options for checking content type?

As I see it

1) On the client (HTML side), it seems that the only thing that I can do is use javascript to check the file extension, and use some sort of mapping to check against the content type. Is this correct?

2) On the server side (Java - using com.oreilly.servlet) it seems I can only get the content type from the header, but the content type is set by the client side using the extension in the first place. is this right?

It just comes to mind that a user can fool the system by changing the file extension... is this correct? or is there someway for either the client or server to 'interrogate' the actual file?

Thanks


when in doubt put it in parenthesis and stick a dollar sign in front of it, only good can come from this.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61434
    
  67

Moved to the Servlets forum.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Tim McGuire
Ranch Hand

Joined: Apr 30, 2003
Posts: 820

marten kay wrote:
1) On the client (HTML side), it seems that the only thing that I can do is use javascript to check the file extension, and use some sort of mapping to check against the content type. Is this correct?

yes and this only serves to help the user. It can't really ensure that a false kind of file is uploaded
marten kay wrote:
2) On the server side (Java - using com.oreilly.servlet) it seems I can only get the content type from the header, but the content type is set by the client side using the extension in the first place. is this right?
It just comes to mind that a user can fool the system by changing the file extension... is this correct?


This is right. all content type information comes from the browser and it can't really be trusted.

Is there someway for either the client or server to 'interrogate' the actual file?

there are some solutions if you expect, for example, an image file, you can convert it to an image file using java's imageio and then interrogate it as an image, for example checking if image size returns something valid.

If you have a PDF Library like itext, you could do something similar by converting a supposed PDF upload to PDF and making sure it behaves correctly.

beyond that, you can examine the byte stream and using a table of "magic numbers" for common file types to determine the file type.
Here is a blog post comparing various file type identifier solutions in java:
http://fredeaker.blogspot.com/2006/12/file-type-mime-detection.html


I imagine someone could fix a file's bytes to have the correct magic numbers making it look like a gif file when it isn't, but now you are in anti-virus scanning territory.
marten kay
Ranch Hand

Joined: Feb 03, 2007
Posts: 178

Thanks Tim

They should change your status from Ranch Hand to Ranch Legend!

Based on this advice, I will do a file extension check on the client side only to assist the user. And deal with corrupt data in my second iteration.. when I have financial backing and programming team

again, thanks a lot... much appreciated.
Hitesh Saliya
Greenhorn

Joined: Dec 02, 2009
Posts: 2
Hi you could use

String abcPath = "C:/Documents and Settings/hiteshs/Desktop/entry.gif";
File f = new File(abcPath);
Magic parser = new Magic() ;
// getMagicMatch accepts Files or byte[],
// which is nice if you want to test streams
System.out.println("f.exists()"+f.exists());
MagicMatch match = parser.getMagicMatch(f,false);
System.out.println("ContentType :"+match.getMimeType());

Fot this you need jmimemagic.jar
 
 
subject: checking content type of file upload?