ASM- Null in multi-part parameter value- Clarification

I see this one pretty regularly. Unfortunately I haven't found a way to cleanly handle it on ASM and technically it's a problem with the application, so I don't expect a solution from F5.

In multipart/form-data POST requests, the value of the "name" directive of the Content-Disposition header is the parameter name. If the web application needs the actual file name, there's the "filename" directive for that (see for example https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition )

However, as I mentioned, I've come accross several instances where the file name was also used for the "name" directive. ASM is parsing this correctly, resulting in completely unpredictable parameter names, because they now actually depend on what the end user uploaded.

You can try talking to the developers of the web application and get them to change the form. Or you can implement a very broad wildcard parameter (e.g. a "*" on the path of the form with parameter type file upload) which of course would also cover all kinds of other parameters and reduce the protection level. Or if it's just the "null in multipart" violation, disable that one globally.

If anyone else is aware of an easier or more secure solution, I would also like to hear it.