Find out the real file type

Question

I am working on an ASP web page that handles file uploads. Only certain types of files are allowed to be uploaded, like .XLS, .XML, .CSV, .TXT, .PDF, .PPT, etc.

I

Answer 1

Maybe you could approach this from a different direction. Instead of identifying all the file types that are uploaded (Excel alone seems like a mess to me, because it has several formats these days), why not run all the uploads through a virus scanner? A wide variety of files can contain viruses and trojans. It may be more work for your server, but it's the safest solution.

Then it's up to the users to correctly identify their file types, which seems reasonable. Adding in a lot of code (that will need to be tested too) just to double check your users seems like a big step. If I say it's a .pdf2 file will you rename it to .pdf? If this is in a corporate environment then it's reasonable to expect the users to have correct extensions on their files. I'd track who uploaded what as well. If it's public then scanning for file types might be worthwhile, but I'd absolutely do the virus scan as well.