我已经用我的代码验证了用户只能上传.pdf个文件。但是我的测试人员之一以某种方式上传.exe扩展文件。下面是我如何验证它的代码。
protected void btnUpload_Click(object sender, EventArgs e)
{
//Label2.Visible = true;
if (txtSearchStore.Text != "")
{
string filePath = FileUpload1.PostedFile.FileName; // getting the file path of uploaded file
string filename1 = Path.GetFileName(filePath); // getting the file name of uploaded file
string lastUpdatedBy = String.Empty;
//DateTime lastUpdateDat = default(DateTime);
//lastUpdateDat
string ext = Path.GetExtension(filename1); // getting the file extension of uploaded file
string type = String.Empty;
if (!FileUpload1.HasFile)
{
//Label2.Text = "Please Select File";
//if file uploader has no file selected
string script = "alert(\"Please Select File.!\");";
ScriptManager.RegisterStartupScript(this, GetType(),
"ServerControlScript", script, true);
}
else
if (FileUpload1.HasFile)
{
try
{
switch (ext) // this switch code validate the files which allow to upload only PDF file
{
case ".pdf":
type = "application/pdf";
break;
}
if (type != String.Empty)
{
string strReturnId = "";
Stream fs = FileUpload1.PostedFile.InputStream;
BinaryReader br = new BinaryReader(fs); //reads the binary files
Byte[] filebytes = br.ReadBytes((Int32)fs.Length);
//counting the file length into bytes
strReturnId = CommonDB.UPDATE_SLP_LAST_PMS_INFO(txtSearchStore.Text.Trim(), filename1, filebytes, lastUpdatedBy);
//Label2.ForeColor = System.Drawing.Color.Green;
//Label2.Text = "File Uploaded Successfully";
string script = "alert(\"File Uploaded Successfully.!\");";
ScriptManager.RegisterStartupScript(this, GetType(),
"ServerControlScript", script, true);
getStoreDetails();
}
else
{
//Label2.ForeColor = System.Drawing.Color.Red;
//Label2.Text = "Select Only PDF Files "; // if file is other than speified extension
string script = "alert(\"Select Only PDF Files.!\");";
ScriptManager.RegisterStartupScript(this, GetType(),
"ServerControlScript", script, true);
}
}
catch (Exception ex)
{
string strErrorMsg = ex.Message.ToString() + " " + "StackTrace :" + ex.StackTrace.ToString();
CommonDB.WriteLog("ERROR:" + strErrorMsg, ConfigurationManager.AppSettings["IPCOLO_LOG"].ToString());
}
}
}
else
{
//Label2.ForeColor = System.Drawing.Color.Red;
//Label2.Text = "Select Only PDF Files "; // if file is other than speified extension
string script = "alert(\"Enter Store code.!\");";
ScriptManager.RegisterStartupScript(this, GetType(),
"ServerControlScript", script, true);
}
}
所以根据他的说法可以上传一个恶意的“ exe”文件(具有双扩展名),并且无法检查要上传的实际文件的内容类型
那么我怎么能阻止他这样做。任何建议都会有帮助