File signature inspection
To use the data contained in the file, it is necessary related software. When we look at from the standpoint of the software, in order to save the process or work products that the software process, so as to be able to read the software later, it was made its own file format.
Image file (JPG, GIF, PNG, BMP, ...) also has a unique format for each file, it can be output an image data of the file on the screen using a graphics viewer program. This is because the graphic viewer program has been implemented to be able to read the specific format to have for each file.
In this way, each file has a unique format, the basic information to distinguish this format is the file signature. If the file is JPG, when representing the contents of the file in hexadecimal, binary data are starts to 0xFF, 0xD8, in which such information is distinguished based on the format.
The file signature inspection, by comparing the positions and values of the signatures defined for each format of the file refers to verify that the target file is the same format.
- Automatically check the file signature
-
The DEXTUpload.NET Professional product also carries out various filter processing. File signature inspection is executed immediately at the time the creation of a temporary file of the module has been completed.
To file signature inspection, it is necessary to set the "methodFileSignatureChecking" attribute of the "settings" element of the "dextupload.net" section in the "Web.config" file.
<dextupload.net> <!-- "noChecking, absenceNotAllow, absenceOrSame". The default value is "noChecking". --> <settings ... methodFileSignatureChecking="absenceOrSame" ... /> </dextupload.net>
- "NoChecking": the same value as when they are not what the setting, do not run the file signature inspection.
- "AbsenceNotAllow": whether the signature information of the file to be examined does not exist, if the test results do not match, to limit the linked file.
- "AbsenceOrSame": If the file signature information exists and the test results do not match, to limit the target file.
To file signature inspection requires a signature information. This information is already included in the internal components. However, since it is not possible to put all of the signature information, there are signature information that are missing. If there is no information about the GIF file format in the signature resource, if the target file GIF to be tested, if you set the value of the "methodFileSignatureChecking" attribute to "absenceNotAllow", the target is filtered. On the other hand, "absenceOrSame" in, because there is no GIF signature information of resources, are passed.
When the file format is limited, because basically exception occurs, at least you do not have a special exception processing, HTTP 500 status code is returned to the client. In contrast, when a file has been filtered by file signature inspection, if the value of "filterAction" attribute is "flushing", it is possible to be changed to 0 bytes of the file rather than an error. And the "compact" attribute is "true", it is passed to a page or handler with the form collection has been deleted these files.
File of text format(txt) is, because there is no signature information of the resource, and is set to "absenceNotAllow", always an error to occur. Therefore, for allowing text files, such as xml, set to "absenceOrSame".
- Rather than built-in resources, with reference to external resources for the file signature inspection
-
Signature resources built into the component, it may update speed is slow. If new signature information has been added or it is changed the signature that has a problem, it is possible to receive earlier in the modified resource file without waiting for the official version updated.
How to refer to the modified resource file is that you specify the path of the file to the "signatureDataFilePath" attribute of the "settings" element of the "dextupload.net" section in the "Web.config" file.
<dextupload.net> <!-- Starting with ~/, it indicates relative path relative to the web application root. If necessary, you can use an absolute path like c:\temp. --> <settings ... methodFileSignatureChecking="absenceOrSame" signatureDataFilePath="~/files/dextupload-1.1.2.0.dxfs" ... /> </dextupload.net>
- If you want to try to manually inspection,
-
Without the configuration of the file signature inspection in the HTTP module, use the "FileSignatureAnalyzer" class at a page, a handler or a controller(if MVC environment,) if you try to do the inspection directly.
<dextupload.net> <!-- Sets to "noChecking", or removes methodFileSignatureChecking Properties. --> <settings ... methodFileSignatureChecking="noChecking" ... /> </dextupload.net>
To file signatures inspection manually, before running the methods("FileElement.Save, FileElement.SaveAs, FileUpload.SaveAll, etc."), you can try to the file signature inspection about a temporary file by using the "Check" method of the "FileSignatureAnalyzer" class.
using (var dext = new FileUpload()) { // Create an instance of the "FileSignatureAnalyzer" class. var fsa = new FileSignatureAnalyzer(); var element = dext.GetSingleFileElement(); if (!element.IsEmpty) { // Check that the extension name of the file matches the signature contents. var fsr = fsa.Check(element.FileExtension, element.TempFilePath); switch (fsr) { case FileSignatureResult.Absence: // The signature information of the extension does not exist in the resource. ... break; case FileSignatureResult.Different: // The file does not match the signature information. ... break; case FileSignatureResult.Same: // The file matches the signature information. break; } } }
If the ASP.NET MVC,
[HttpPost] public ActionResult Upload([Bind(Prefix = "file1")] DEXTPostedFile file) { if (file != null) { // Create an instance of the "FileSignatureAnalyzer" class. var fsa = new FileSignatureAnalyzer(); // Check that the extension name of the file matches the signature contents. var fsr = fsa.Check(file.Element.FileExtension, file.Element.TempFilePath); switch (fsr) { case FileSignatureResult.Absence: // The signature information of the extension does not exist in the resource. ... break; case FileSignatureResult.Different: // The file does not match the signature information. ... break; case FileSignatureResult.Same: // The file matches the signature information. break; } } }
"FileSignatureAnalyzer" performs a file signature inspection using internal resources. If you want to test using an external resource, it is only necessary to specify the path to the file to the constructor.
// Create a signature checker using external resources. // The path to the external resource file must start with a drive string or be a UNC path. var fsa = new FileSignatureAnalyzer(@"c:\temp\dextupload-1.1.2.0.dxfs");
- Notes of the file signature inspection
-
- A text file format are excluded when creating a resource signature.
- File signature inspection, in order to check the contents to open the file, but a short time, in order to perform file I/O operation, overall it is possible to be delayed the upload speed of files.
- When you create a "FileSignatureAnalyzer" with an external resource file, each time you create a "FileSignatureAnalyzer" object, because there is a file I/O operation to read the resource file, it can affect performance.
- Since the file signature resources are not perfect, it will be regularly updated with the product.
- File signature inspection are the task of comparing some small parts of the file is not intended to fully analyze the header and footer of the file. Therefore, in the case such as malicious code that exploits a vulnerability of the format, the inspection is almost impossible.
- Extension name is different, but file with same signature are a lot, it is also impossible to use with a clear for the purpose of dividing the format. File signature inspection, rather than a check of the full format, since it is only the higher level examination than checking the name of the extension, note that it is not possible to completely prevent the deformation attack by an attacker.