Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Sending email with Attachments form ASP.NET

Options
  • 02-03-2009 12:25pm
    #1
    floyd333
    Registered Users Posts: 246 ✭✭


    Hi All,

    I’m developing an ASP.Net app that allows external users to email in attachments. I was originally going to use the bog standard ASP.Net mail functionality that saves the file to the server hard drive before sending. However our infrastructure team refused to allow this saying that we could not verify the attachments sent in. They said that file extensions could be renamed to something safe (/doc, /pdf) etc and mailed in.
    To get around this I am reading the files input stream and temporarily storing as a binary data in a SQl Server 2000 DB. I then read from the database and attach the file. The file is deleted once the mail is sent.

    However this is proving way too slow. I’d be interested to hear some other thoughts on this. Is there an easy, fast and safe way to accept email attachments?


Comments

  • Options
    #2
    Eoin
    Registered Users Posts: 21,257 ✭✭✭✭Eoin


    Is this any use? In-Memory E-mail Attachments in ASP.NET 2.0


  • Options
    #3
    floyd333
    Registered Users Posts: 246 ✭✭floyd333


    eoin wrote: »
    Is this any use? In-Memory E-mail Attachments in ASP.NET 2.0

    Chhers for that eoin but, I looked at this approach but in my app the user can attach up to 10 attachments. I do a post back when they browse and attach a document as I need to do some server side checks (field size, name, type etc.). I don’t know how to hold onto previously attached documents/ memory streams through the post backs…..


  • Options
    #4
    matrim
    Registered Users Posts: 7,518 ✭✭✭matrim


    floyd333 wrote: »
    Hi All,

    They said that file extensions could be renamed to something safe (/doc, /pdf) etc and mailed in.

    If the infrastructure team don't mind the user renaming the file to something safe before uploading and saving on the disk, could you not just do that as part of the upload. e.g. user wants to send file file.zip
    He uploads file.zip, before saving it you rename to file.doc, and same the original extention in the DB.
    Then before sending you change the extension back to file.zip


  • Options
    #5
    floyd333
    Registered Users Posts: 246 ✭✭floyd333


    matrim wrote: »
    If the infrastructure team don't mind the user renaming the file to something safe before uploading and saving on the disk, could you not just do that as part of the upload. e.g. user wants to send file file.zip
    He uploads file.zip, before saving it you rename to file.doc, and same the original extention in the DB.
    Then before sending you change the extension back to file.zip

    Sorry. I didn’t explain myself well. The infrastructure team don’t want users renaming files we have a safe list of files we accept (doc, pdf, xls, ppt and jpg). The infrastructure team are concerned that an unscrupulous user could rename a file or change the extension of a malicious file and then upload the bad file to our web server…:eek:


  • Options
    #6
    Eoin
    Registered Users Posts: 21,257 ✭✭✭✭Eoin


    But there is no problem with it being emailed to an internal account?

    How about if you upload it, zip it, email it and then delete it from the server? It will still (briefly) be on the server unzipped though.

    Is there any way of checking the mime type to check that the file is what it's supposed to be?


  • Advertisement
  • Options
    #7
    floyd333
    Registered Users Posts: 246 ✭✭floyd333


    eoin wrote: »
    But there is no problem with it being emailed to an internal account?

    How about if you upload it, zip it, email it and then delete it from the server? It will still (briefly) be on the server unzipped though.

    Is there any way of checking the mime type to check that the file is what it's supposed to be?

    Thanks Eoin. Yes it's easy to check the MIME Type. I am doing this already and stroing it in a database field.


  • Options
    #8
    Ginger
    Registered Users Posts: 2,931 ✭✭✭Ginger


    Oki doki

    Have you seen the Request.Files collection. You can add multiple files in the one upload buy having 1 fileupload control on the page (http://www.codetoad.com/asp.net_multiplefileupload.asp)

    Now.. on the IIS side of things. Create the upload folder and give it no execute permissions that will remove issues with executing on the local server. Basic security

    When the mail is sent make sure it fires through a mail scanner to ensure that all documents are scanned before they are sent to your system. Alternatively have them run through a relay account to verify.

    You can also use OPSWat http://www.opswat.com/ to interact with certain AV vendor tools. http://www.filterbit.com/ is an example of this.. bit pricey tho

    Also there SOPHOS command line is http://www.sophos.com/support/knowledgebase/article/13252.html

    Maybe even this http://forums.asp.net/p/890935/956276.aspx

    Dont know if there is anything else that will help other than using something like the Telerik upload controls which stop certain file types..


Advertisement