after reading the data from the request as Stream i needed to convert it to Image so i used this Method:
Stream inputStream = HttpContext.Current.Request.InputStream;
Image img = Image.FromStream(inputStream)
my question is, while im unable to know what was in that inputStream (file format is done already but still..) there may be a virus or malware, so in that case FromStream(Stream) would throw ArgumentException. since it’s not an image.
my question is – If the file uploaded contains a virus, and the method throws an exception while trying to convert the stream to Image, did that make any harm to the server?
if so, how to avoid it? what should be the scenario for handling file upload in the server?
Even if we could answer this with any certainty (which we can’t, because unknown vulnerabilities are unknown, and if it was a known vulnerability, Microsoft would presumably have fixed it) it would be irresponsible to post details of an exploit here. If I knew of an attack vector via
Image.FromStream(or any part of the .NET framework, or really any other way) the responsible thing to do would be to report it to the vendor (MSFT in this case) and wait for them to fix it.Basically, you need to trust that Microsoft has examined the edge conditions of parsing image data and ensured that there are no native buffer overflow or other similar vulnerabilities in that code. Something that Microsoft has admittedly made mistakes at in the past, but in all fairness has gotten much much better at addressing over the past few years.