For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

fpieressa's avatar
fpieressa
Icon for Altostratus rankAltostratus
Dec 27, 2009

Allow or Deny http upload file by extension

Hi! Is there any way to force in a Web Application that only some specific file extentions can be uploaded using Form-based File Upload (RFC 1867)? Using this way, the file is not uploaded in an http...
app sec
BIG-IP Access Policy Manager (APM)
security
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Dec 27, 2009
In just about every multipart form upload request I've seen (and your example) the file name the client provides is included in the filename parameter. The RFC states it could be specified in an actual HTTP header, but I've never seen that done. In your example, the actual data is passed in the uploadedfile parameter. So you could configure an object of "/upload.php" and possibly two object parameters. filename would be the one you'd restrict the file name extensions with a regex for. If you want to allow binary content to be uploaded, you'd want to define a second parameter named uploadedfile with a type of binary (length check only).

 

 

Can you try testing this to confirm it works for your scenario?

 

 

Thanks,

 

Aaron