我有一个 C# 应用程序,我在其中上传图像并将其存储在目录中。我正在检查文件,以便在上传之前允许一种图像格式。当我使用 Veracode 测试我的模块时,它显示目录遍历问题 CWE ID 73.. 我不确定它是否正确,因为我在上传之前检查文件类型
我上传文件的代码如下
if (filebigimage.HasFile)
{
if ((((((this.filebigimage.PostedFile.ContentType == "image/gif") | (this.filebigimage.PostedFile.ContentType == "image/pjpeg")) | (this.filebigimage.PostedFile.ContentType == "image/jpeg")) | (this.filebigimage.PostedFile.ContentType == "image/jpg")) | (this.filebigimage.PostedFile.ContentType == "image/png")) | (this.filebigimage.PostedFile.ContentType == "image/bmp"))
{
// string StrBigImageName = (ConfigurationManager.AppSettings["offerImagePath"] + "BigImages/Temp/");
if ((this.filebigimage.PostedFile.ContentType == "image/gif"))
{
strBigimgformat = ".gif";
objBigImgFormat = System.Drawing.Imaging.ImageFormat.Gif;
}
else if ((this.filebigimage.PostedFile.ContentType == "image/pjpeg") | (this.filebigimage.PostedFile.ContentType == "image/jpeg") | (this.filebigimage.PostedFile.ContentType == "image/jpg"))
{
strBigimgformat = ".jpg";
objBigImgFormat = System.Drawing.Imaging.ImageFormat.Jpeg;
}
else if ((this.filebigimage.PostedFile.ContentType == "image/png"))
{
strBigimgformat = ".png";
objBigImgFormat = System.Drawing.Imaging.ImageFormat.Png;
}
filebigimage.SaveAs(Server.MapPath(ConfigurationManager.AppSettings["offerImagePath"] + "BigImages/Temp/") + filebigimage.FileName);
strbigimagename = filebigimage.FileName;
}
}
然后我将值存储到数据库中并获取行的 ID 号并创建文件名并将此文件从临时文件夹移动到主文件夹
if (File.Exists(Server.MapPath(ConfigurationManager.AppSettings["offerImagePath"]
+ "BigImages/Temp/" + strbigimagename)))
{
File.Move(Server.MapPath("../" + ConfigurationManager.AppSettings["offerImagePath"] + "BigImages/Temp/"
+ strbigimagename), Server.MapPath("../" + ConfigurationManager.AppSettings["offerImagePath"] + "BigImages/" + strorderid + "_bigimage" + strBigimgformat));
}
请让我知道它有什么问题......它是否容易受到目录遍历问题的影响