File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

checking content type of file upload?

 
marten kay
Ranch Hand
Posts: 178
Java jQuery Postgres Database
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am uploading a file from a HTML form to a servlet, and I am seeking the best way to check the content type of the uploaded file. The type (rather than the subtype) is particularly important as the type affects how the file is handled by the system. So what are the options for checking content type?

As I see it

1) On the client (HTML side), it seems that the only thing that I can do is use javascript to check the file extension, and use some sort of mapping to check against the content type. Is this correct?

2) On the server side (Java - using com.oreilly.servlet) it seems I can only get the content type from the header, but the content type is set by the client side using the extension in the first place. is this right?

It just comes to mind that a user can fool the system by changing the file extension... is this correct? or is there someway for either the client or server to 'interrogate' the actual file?

Thanks

 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64196
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Moved to the Servlets forum.
 
Tim McGuire
Ranch Hand
Posts: 820
IntelliJ IDE Tomcat Server VI Editor
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
marten kay wrote:
1) On the client (HTML side), it seems that the only thing that I can do is use javascript to check the file extension, and use some sort of mapping to check against the content type. Is this correct?

yes and this only serves to help the user. It can't really ensure that a false kind of file is uploaded
marten kay wrote:
2) On the server side (Java - using com.oreilly.servlet) it seems I can only get the content type from the header, but the content type is set by the client side using the extension in the first place. is this right?
It just comes to mind that a user can fool the system by changing the file extension... is this correct?


This is right. all content type information comes from the browser and it can't really be trusted.

Is there someway for either the client or server to 'interrogate' the actual file?

there are some solutions if you expect, for example, an image file, you can convert it to an image file using java's imageio and then interrogate it as an image, for example checking if image size returns something valid.

If you have a PDF Library like itext, you could do something similar by converting a supposed PDF upload to PDF and making sure it behaves correctly.

beyond that, you can examine the byte stream and using a table of "magic numbers" for common file types to determine the file type.
Here is a blog post comparing various file type identifier solutions in java:
http://fredeaker.blogspot.com/2006/12/file-type-mime-detection.html


I imagine someone could fix a file's bytes to have the correct magic numbers making it look like a gif file when it isn't, but now you are in anti-virus scanning territory.
 
marten kay
Ranch Hand
Posts: 178
Java jQuery Postgres Database
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Tim

They should change your status from Ranch Hand to Ranch Legend!

Based on this advice, I will do a file extension check on the client side only to assist the user. And deal with corrupt data in my second iteration.. when I have financial backing and programming team

again, thanks a lot... much appreciated.
 
Hitesh Saliya
Greenhorn
Posts: 2
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi you could use

String abcPath = "C:/Documents and Settings/hiteshs/Desktop/entry.gif";
File f = new File(abcPath);
Magic parser = new Magic() ;
// getMagicMatch accepts Files or byte[],
// which is nice if you want to test streams
System.out.println("f.exists()"+f.exists());
MagicMatch match = parser.getMagicMatch(f,false);
System.out.println("ContentType :"+match.getMimeType());

Fot this you need jmimemagic.jar
 
I agree. Here's the link: http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic