For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

fpieressa's avatar
fpieressa
Icon for Altostratus rankAltostratus
Dec 27, 2009

Allow or Deny http upload file by extension

Hi! Is there any way to force in a Web Application that only some specific file extentions can be uploaded using Form-based File Upload (RFC 1867)? Using this way, the file is not uploaded in an http...
app sec
BIG-IP Access Policy Manager (APM)
security
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Dec 27, 2009
ASM should still parse the parameters and values in a multipart/form-data based upload request.

 

 

You could configure an object for the page which receives the POST request (something like /path/to/upload.html) and a parameter (probably named "filename") on the object. You can configure the filename parameter using a regex like ^.*\.(txt|doc|html)$. This would allow a client to submit a request with the filename parameter set to anything ending in .txt .doc or .html. Any other filename would trigger a violation on the parameter not matching the regex. Note that this doesn't restrict the actual content a client uploads--just the filename they use when uploading the file.

 

 

Aaron