I would like to have a whitelist of filetypes that users are authorized to upload to my IIS server (im using IIS v7.5).
What is the options that i have? For example, to restrict filesize to 5MB for a specific action in my controller, i added this section to my webconfig:
<location path="home/fileupload">
<system.web>
<!-- maxRequestLength is in kilobytes (KB) -->
<httpRuntime maxRequestLength="5120" /> <!-- 5MB -->
</system.web>
<system.webServer>
<security>
<requestFiltering>
<!-- maxAllowedContentLength is in bytes -->
<requestLimits maxAllowedContentLength="5242880"/> <!-- 5MB -->
</requestFiltering>
</security>
</system.webServer>
</location>
Is there an option in the webconfig to set a whitelist of allowed filetypes? Or is the only option is to validate the filetypes in code when the file is fully uploaded? What is the recommended technics? How can i be sure that the .docx, .pdf, .jpg, etc are really what they are?
Since you are wanting server side you could use the files mime type.
THIS post shows how to determine the MIME type based on the files contents (instead of by the extension).
If you do want to limit the input to SPECIFIC file extension you could simply check the input name against what you want to accept. If this passes you could do an xref against the library in the post I linked to make sure the user didn't just change the file extension on you.
Doing this would provide a pretty good degree of certainty that the file is one that you want to accept!
EDIT: Based on comments so far....
Based on what you have said you are looking for this method should work quite nicely for you. My suggestion if you are simply wanting to limit it to the types of files listed in one of you comments... Do a simple check on the file extension. If that is valid then pass the file to the urlmon.dll listed in the link. Make sure it doesn't come back as an invalid type....aka Executable/java/zip/etc. If it isn't an invalid type then you will have a very high degree of certainty that it is a safe file!
Lastly, reading through the comments on that post it looks like the urlmon.dll might support all the file types you are wanting implicitly which would remove the need to check that it isn't an executable or something of that nature, but you would need to confirm the doc/docx/xsl/xslx do return a valid mime type.
No, there is no web.config setting to restrict what gets uploaded.
The only possible way to validate uploaded data is to actually validate that data in code.
Even if there were a setting, it would be useless anyway because it would be based on the Content-Type headers received from the client, which can be quite wrong.
In code, you can certainly look at the Content-Type header, but if you're trying to validate that the uploaded data is of a specific type, you're going to have to do so manually, based on what kind of data you are expecting. For an image, this is easy. For other file types, it can be a lot harder.
Data Anotations is what you are looking for, here is a search that may help you, google data anotaions
Update
I think it validates off of file extensions. If you don't wan't to rely on file extensions, I think your best bet is to validate off of MIME types. This is more complex and varies from browser to browser, and can be faked (although this is more complex than faking an extension.)
A simple yet not free option is to use Telerik RadAsyncUpload.
You could write this code yourself (although I've never messed with it) this may get you started. (this post deals with the fact that you can't reliably detect mime types without IIS, but it should get you on your way.)
Hopefully this will get you going. As you know, you can restrict files by their size, validate by their extensions, and if you add validation by MIME types I think you have done all you can. I think this is all you can do to be safe and not to exclude valid files; although I have heard of hashing the file, and some other options; but these will most defiantly exclude legit files.
Also, as I mentioned, MIME types can be fakes and sent to your server, to be extra safe you should validate on both client side and server side.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 狗以群分 的文章《How to restrict/validate file upload filetypes ser》','https://www.manongdao.com/article-971884.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}