Limit Files By Extension Loophole

2 posts, 0 answers
  1. Mark
    Mark avatar
    79 posts
    Member since:
    Apr 2007

    Posted 22 Aug 2009 Link to this post

    We discovered a loophole with the upload control.  If file types are limited by extension, the user can type an asterisk (*) in the file name text box and upload any file type they want.

    We end up have to check file types server side after the upload, delete disallowed types and then notify the user.  Has anyone else experienced this?  I'd like if it could all be done client side with no loopholes.
  2. Kiril Stanoev
    Kiril Stanoev avatar
    1512 posts

    Posted 24 Aug 2009 Link to this post

    Hello Mark,

    What you are describing is a typical behavior of the OpenFileDialog. What you can do in this case is on the FileSelected event of RadUpload to loop through the selected files and remove the ones that do not meet the Filter criteria. For example, have a look at the RadUpload bellow.

    <telerikInput:RadUpload IsAppendFilesEnabled="True" 
            UploadServiceUrl="~/RadUploadHandler.ashx" TargetFolder="Images" 
            IsAutomaticUpload="False" MaxFileCount="99" 
            Filter="PNG Files (*.png)|*.png" 
            OverwriteExistingFiles="True" IsMultiselect="True" 
            FilesSelected="RadUpload_FilesSelected" /> 

    Its Filter property says that only .png files can be selected. However, as you correctly pointed out, if the user types *, he/she will be presented with all file extensions and nothing can stop him/her from selecting a .txt file, for example).
    That is why, in the RadUpload_FileSelected event handler, you can iterate through all the selected files and remove the unnecessary ones.

    private void RadUpload_FilesSelected(object sender, Telerik.Windows.Controls.FilesSelectedEventArgs e) 
        RadUpload upload = (RadUpload)sender; 
        // If the Filter property of RadUpload does not contain the extension of the selected file, 
        // then the file has to be removed. 
        // For this purpose, a temporary collection is used. 
        var filesToRemove = e.SelectedFiles.Where(file => !upload.Filter.Contains(file.File.Extension)).ToList(); 
        // Remove the unnecessary files. 
        foreach (var file in filesToRemove) 

    I have attached my sample project for further reference. Have a look at it and let us know if you experience additional problems.

    All the best,
    Kiril Stanoev
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Check out the tips for optimizing your support resource searches.
Back to Top