Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
IW15 FileUplader and GetUploadedFileMimeType
I could recreate the AV. A patch will be released soon
(11-30-2019, 09:19 PM)Alexandre Machado Wrote: I could recreate the AV. A patch will be released soon
Hi and a Happy New Year to you all! Just wanted to check when you expect an IW 15.1.11 (?) release that contains this fix?
Hi again. I just downloaded 15.1.11 and tested TIWFileUploader.CheckMimeType() and now it works without errors, thanks!

The only thing I noticed in my tests is that the method in some cases seems to take the file extension into account rather than just the file contents (which is not ideal since the function typically can be used as an extra layer of protection against attempts to upload malicious files). For example, a genuine xlsx file is recognized as application/vnd.openxmlformats-officedocument.spreadsheetml.sheet. If I rename a .pdf file to .xlsx it is correctly identified as application/pdf anyway. But if I rename a .docx file to .xlsx the function reports it as a spreadsheet even though it isn't. And if I allow .docx files in my file filter and rename a .xlsx file to .docx it will similarly return application/vnd.openxmlformats-officedocument.wordprocessingml.document even though it isn't.
You know that it is virtually impossible to accurately differentiate docx and xlsx files, right?

All "new" Office file formats are simply zip files. They all have the same zip signature. Without extracting the content from the zip file and deeply analyzing the content it is not possible to be sure what file is that
Hi Alexandre and thanks for the clarification on how the office file format works. I am now implementing a validity check for an uploaded file in an import function. If I detect a file that has an unexpected mime type, is there a way to tell the TIWFileUploader component to consider it as failed (which I assume would color it red and generate the OnAsyncUploadError event rather than OnAsyncUploadSuccess)? This is my current test code (which works functionally, but it would be nicer if the file was not shown in green):

procedure TBaseClientImportWebDialog.FileUploaderWebFrameFileUploaderAsyncUploadCompleted(
  Sender: TObject; var DestPath, FileName: string; var SaveFile, Overwrite: Boolean);
  MimeType, FileExt: string;
    MimeType := TIWFileUploader.CheckMimeType();
    FileExt := ExtractFileExt(FileName);
    if (SameText(FileExt, '.xls') and (Pos('excel', MimeType) > 0)) or
      (SameText(FileExt, '.xlsx') and (Pos('spreadsheet', MimeType) > 0)) or
      ((SameText(FileExt, '.txt') or (SameText(FileExt, '.csv'))) and (MimeType = '')) then
      ReportDebugUI(SafeFormat('Uploaded file %s, mime type: %s', [FileName, MimeType]));
      FileName := 'Import' + FileExt;
      ImportFileName := DestPath + FileName;
      ReportWarning(SafeFormat('Uploaded file %s does not appear to be a valid %s file, mime type: %s',
        [FileName, FileExt, MimeType]));
      WebApplication.ShowMessage(SafeFormat(LangConv.Texts[tiInvalidFileType], [FileExt]));
      SaveFile := False;
      ImportFileName := '';
    on E: Exception do
      ReportException(E, 'trying to check mime type for uploaded import file ' + FileName);

procedure TBaseClientImportWebDialog.FileUploaderWebFrameFileUploaderAsyncUploadError(
  Sender: TObject; EventParams: TStringList);
  NextButton.Enabled := False;

procedure TBaseClientImportWebDialog.FileUploaderWebFrameFileUploaderAsyncUploadSuccess(
  Sender: TObject; EventParams: TStringList);
  NextButton.Enabled := ImportFileName <> '';
Let me test it and see what I get. I'll get back to you soon.

just wanted to update you on the usage of TIWFileUploader.CheckMimeType(), we have had it running in production for a while now. We have noticed one issue: if a user uploads a password protected xlsx file the function returns an empty string, which causes our security check to tell the user that it does not appear to be a valid xlsx file. Normally, the function will return 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet' or 'application/zip' (we get the latter for Excel files we have created ourselves using TMS FlexCel). It would be great if it could return one of these also in the case of password protection.

Best regards

Magnus Oskarsson
Can you please attach a sample of a file that fails?
Attached is a password protected sample file. The password is 'Atozed' if you want to look at the contents.

Best regards

Magnus Oskarsson

Attached Files
.xlsx   EmWebClient_Import_Eng.xlsx (Size: 14.5 KB / Downloads: 1)
Thank you. Alexandre will take it from here.

Forum Jump:

Users browsing this thread: 1 Guest(s)