Forum Discussion
fpieressa
Altostratus
AltostratusAllow or Deny http upload file by extension
Hi! Is there any way to force in a Web Application that only some specific file extentions can be uploaded using Form-based File Upload (RFC 1867)? Using this way, the file is not uploaded in an http parameter, they are uploaded in the body of the http POST using MIME... thanks!
hoolioCirrostratus
ASM should still parse the parameters and values in a multipart/form-data based upload request.
You could configure an object for the page which receives the POST request (something like /path/to/upload.html) and a parameter (probably named "filename") on the object. You can configure the filename parameter using a regex like ^.*\.(txt|doc|html)$. This would allow a client to submit a request with the filename parameter set to anything ending in .txt .doc or .html. Any other filename would trigger a violation on the parameter not matching the regex. Note that this doesn't restrict the actual content a client uploads--just the filename they use when uploading the file.
Aaron- hoolioCan you post an anonymized copy of the request?
Thanks,
Aaron 
fpieressaOf course, here you have, thanks!
POST /uploader.php HTTP/1.1
Host: 192.168.1.128
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://192.168.1.128/upload.php
Content-Type: multipart/form-data; boundary=---------------------------24464570528145
Content-Length: 842
-----------------------------24464570528145
Content-Disposition: form-data; name="MAX_FILE_SIZE"
100000
-----------------------------24464570528145
Content-Disposition: form-data; name="uploadedfile"; filename="borrar1.pl"
Content-Type: text/x-perl
!/usr/bin/perl
print "hola\n";
...
-----------------------------24464570528145--- hoolioIn just about every multipart form upload request I've seen (and your example) the file name the client provides is included in the filename parameter. The RFC states it could be specified in an actual HTTP header, but I've never seen that done. In your example, the actual data is passed in the uploadedfile parameter. So you could configure an object of "/upload.php" and possibly two object parameters. filename would be the one you'd restrict the file name extensions with a regex for. If you want to allow binary content to be uploaded, you'd want to define a second parameter named uploadedfile with a type of binary (length check only).
Can you try testing this to confirm it works for your scenario?
Thanks,
Aaron - fpieressaGreat! Applying a regex to the "filename" parameter works perfectly, I didn't understand how multipart works, thanks!
- hoolioGood to see you got it working.
Aaron