For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Perry_Ler_71437's avatar
Perry_Ler_71437
Icon for Nimbostratus rankNimbostratus
Mar 16, 2010

irule for file type checking

Hi

 

 

Anyone can point in the direction to look at? I need an iRule to check the file type that is uploaded through a html form page.

 

 

There is HTTP::uri for the action GET but I cannot find anything for action POST.

 

 

I read that you have to use the HTTP::collect to look at the payload but within the payload, I still cannot get anything. Even a regex to search for executable is not successful. Anyone here manage to do up an irule that can do that?

 

 

I know, this is so much easier to be done on the form page using js or whatever server-side language that the form is written in. Let say I cannot go in that direct.

 

 

Thanks in advance.

 

application delivery
dev
devops
iRules

6 Replies

  • Perry_Ler_71437's avatar
    Perry_Ler_71437
    Icon for Nimbostratus rankNimbostratus
    Mar 17, 2010
    Hi Naladar

     

     

    The HTTP::method eq POST is part of the condition. but I need to look beyond it. I need to stop user from uploading exe file. When I look at the HTTP::header, the content-type do not know the executable but it only display out the content type of the html page. So that cannot tell me that an executable file is uploaded.

     

     

    thanks

     

    perry

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 17, 2010
    Hi Perry,

     

     

    You could try to collect POST request payloads and then parse the payload using regexes, but it's going to a little complicated and could be resource intensive. Here is a post where we discussed the approach:

     

     

    Parse POST parameters

     

    http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=20599

     

     

    Aaron
  • Perry_Ler_71437's avatar
    Perry_Ler_71437
    Icon for Nimbostratus rankNimbostratus
    Mar 19, 2010
    Hi Aaron

     

     

    Thanks for the link. If I just look at the content type, I can only see something like this:

     

     

    Content-Type: multipart/form-data; boundary=---------7d83b43a3208ec

     

     

    if at least I can see the word "executable", then it will be so much easier. i'm trying to do a regex but can't seem to find the right match.

     

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 19, 2010
    The HTTP Content-Type header for a multipart form upload won't reflect the datatypes of any files being uploaded. It will be set to something starting with "multipart/form-data". If you collect the HTTP payload, you could start with a generic check of the entire payload for something like:

     

     

    if {[HTTP::payload] contains "Content-Type: application/octet-stream"}{

     

     

    or maybe:

     

     

    if {[HTTP::payload] contains "Content-Type: application"}{

     

     

    Aaron
  • Perry_Ler_71437's avatar
    Perry_Ler_71437
    Icon for Nimbostratus rankNimbostratus
    Mar 19, 2010
    Hi Hoolio

     

     

    Thanks for the reply. I was trying that out too before I saw your reply. But I just make it simpler by searching for ".exe" and it works. Of course your suggestion will be more foolproof than mine just using ".exe".

     

     

    The solution is so much simpler. I kept looking at the difficult angle by trying to do a regex because I found a few article and threads all pointing in regex and binary match direction.

     

     

    Thanks

     

    Perry