• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

checking content type of file upload?

 
Ranch Hand
Posts: 226
1
jQuery Postgres Database Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am uploading a file from a HTML form to a servlet, and I am seeking the best way to check the content type of the uploaded file. The type (rather than the subtype) is particularly important as the type affects how the file is handled by the system. So what are the options for checking content type?

As I see it

1) On the client (HTML side), it seems that the only thing that I can do is use javascript to check the file extension, and use some sort of mapping to check against the content type. Is this correct?

2) On the server side (Java - using com.oreilly.servlet) it seems I can only get the content type from the header, but the content type is set by the client side using the extension in the first place. is this right?

It just comes to mind that a user can fool the system by changing the file extension... is this correct? or is there someway for either the client or server to 'interrogate' the actual file?

Thanks

 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Moved to the Servlets forum.
 
Ranch Hand
Posts: 820
IntelliJ IDE VI Editor Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

marten kay wrote:
1) On the client (HTML side), it seems that the only thing that I can do is use javascript to check the file extension, and use some sort of mapping to check against the content type. Is this correct?


yes and this only serves to help the user. It can't really ensure that a false kind of file is uploaded

marten kay wrote:
2) On the server side (Java - using com.oreilly.servlet) it seems I can only get the content type from the header, but the content type is set by the client side using the extension in the first place. is this right?
It just comes to mind that a user can fool the system by changing the file extension... is this correct?



This is right. all content type information comes from the browser and it can't really be trusted.


Is there someway for either the client or server to 'interrogate' the actual file?


there are some solutions if you expect, for example, an image file, you can convert it to an image file using java's imageio and then interrogate it as an image, for example checking if image size returns something valid.

If you have a PDF Library like itext, you could do something similar by converting a supposed PDF upload to PDF and making sure it behaves correctly.

beyond that, you can examine the byte stream and using a table of "magic numbers" for common file types to determine the file type.
Here is a blog post comparing various file type identifier solutions in java:
http://fredeaker.blogspot.com/2006/12/file-type-mime-detection.html


I imagine someone could fix a file's bytes to have the correct magic numbers making it look like a gif file when it isn't, but now you are in anti-virus scanning territory.
 
marten koomen
Ranch Hand
Posts: 226
1
jQuery Postgres Database Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Tim

They should change your status from Ranch Hand to Ranch Legend!

Based on this advice, I will do a file extension check on the client side only to assist the user. And deal with corrupt data in my second iteration.. when I have financial backing and programming team:D

again, thanks a lot... much appreciated.
 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi you could use

String abcPath = "C:/Documents and Settings/hiteshs/Desktop/entry.gif";
File f = new File(abcPath);
Magic parser = new Magic() ;
// getMagicMatch accepts Files or byte[],
// which is nice if you want to test streams
System.out.println("f.exists()"+f.exists());
MagicMatch match = parser.getMagicMatch(f,false);
System.out.println("ContentType :"+match.getMimeType());

Fot this you need jmimemagic.jar
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic