c# - Is HttpPostedFile.ContentType a flawless way to validate an uploaded file?

Question

I want to validate the file type to make sure the user is uploading an image of type JPEG, GIF, or PNG. Instead of checking the file extension, I figured using HttpPostedFile.ContentType would be safer since it checks the MIME content type.

protected void cvValidateImageType_ServerValidate(object source, ServerValidateEventArgs args)
{
    if (fupImage.HasFile)
    {
        args.IsValid = (fupImage.PostedFile.ContentType.ToLower() == "image/jpg" ||
                        fupImage.PostedFile.ContentType.ToLower() == "image/jpeg" ||
                        fupImage.PostedFile.ContentType.ToLower() == "image/pjpeg" ||
                        fupImage.PostedFile.ContentType.ToLower() == "image/gif" ||
                        fupImage.PostedFile.ContentType.ToLower() == "image/x-png" ||
                        fupImage.PostedFile.ContentType.ToLower() == "image/png");

    }
    else
        args.IsValid = true;
}

Is this a flawless way to check the file type, or can it be fooled?

Answer 1

Using the extension is probably safer. The ContentType is sent in the http request from the client. If you test for the extension, the user can change the extension of an exe to jpg, but it won't run as an exe.