Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have ASP.NET form with an upload control for users to post an image. On the server I load that image (using the Bitmap class) and resize it.
Is there any danger in doing that when users upload malicious or affected files or will the code just throw an exception at some point and stop the whole process?
Best hacker can hope for is using Buffer Overflow exploit, then he’s writing malicious code to the server memory. However from what I’ve read, such thing can happen only when using unsafe code, and since Bitmap is totally managed I’m pretty sure it’s safe to use it.
However, really clever hacker can trick the Bitmap and create “custom” picture file that will be perfectly valid picture, but will also contain “hitchhiker” code that might cause damage when viewed in browser, using some future exploit. So safest way is to save the Bitmap itself to disk instead of the raw uploaded file, meaning use the bitmap.Save method instead of the SaveAs method of HttpPostedFile. This way any extra code will be omitted, as the Bitmap won’t load it and your visitors will be safe.
By the way, you can store the uploaded files outside the website root folder, and create “proxy” file to read it from the folder: this way users won’t be able to browse directly to the images, they’ll have to use the proxy file. This is useful if you’ll add permissions mechanism at some point, e.g. user A should not be able to see what user B uploaded.