Forum Discussion
WAF - Allow uploads of only files with certain extensions and block all other file uploads
- Jan 10, 2023
Hi tub91 ,
Just to add somthing :
> let all learnt filetypes as it is , and do not delete them even if they are in a wildcard form or even specific filetypes for your application , this is for the stability of your application at all and this restriction should be applied on parameter level.
> Another point :
you should define 2 parameter in this ASM policy , Parameter with data type "file upload" and the other with "Alpha Numeric ".
Let me explain more :
you should have a parameter_1 needs to upload file on it’s like a container and this parameter should use (Data type = File upload) , and the other parameter should be triggered when you click "Button upload" let we call it Parameter_2 and you should define this parameter as ( an Alpha Numeric Data type ) With the Regular expression (ReGex) that I sent in the last reply.
Please check the below snap shots from my Lab :- you can see " choose file Button " which defined as " filename " parameter in F5 ASM learning suggestions , and "select the image you want to uplaod" which defined as "userfile" Parameter in F5 Learning suggestion.
In " Filename " I should create it as ( type = user input value parameter , Data type = Alpha numeric , and add the Regex that I send before in last reply ) .In "userfile" I should create it ( type = user input value , Data type = File upload )
> I hope this helps you.
We have performed all the steps you indicated but we have not clicked on "enforce" after the removal of the wildcard, we have only saved and applied the policy.
After this change, however, it was not possible to load any page of the site because all the files loaded within the page were seen as FileType Illegal.
We therefore hypothesized that the FileTypes in that configuration can only be used to select which TypeFiles can be accessed on the website (the problem is that this impacts both GET calls and therefore download calls and POST calls for uploads)
Hi tub91 ,
Just to add somthing :
> let all learnt filetypes as it is , and do not delete them even if they are in a wildcard form or even specific filetypes for your application , this is for the stability of your application at all and this restriction should be applied on parameter level.
> Another point :
you should define 2 parameter in this ASM policy , Parameter with data type "file upload" and the other with "Alpha Numeric ".
Let me explain more :
you should have a parameter_1 needs to upload file on it’s like a container and this parameter should use (Data type = File upload) , and the other parameter should be triggered when you click "Button upload" let we call it Parameter_2 and you should define this parameter as ( an Alpha Numeric Data type ) With the Regular expression (ReGex) that I sent in the last reply.
Please check the below snap shots from my Lab :
- you can see " choose file Button " which defined as " filename " parameter in F5 ASM learning suggestions , and "select the image you want to uplaod" which defined as "userfile" Parameter in F5 Learning suggestion.
In " Filename " I should create it as ( type = user input value parameter , Data type = Alpha numeric , and add the Regex that I send before in last reply ) .
In "userfile" I should create it ( type = user input value , Data type = File upload )
> I hope this helps you.
- tub91Jan 10, 2023Cirrus
Mohamed_Ahmed_Kansoh thanks, it works 😀 During our first test we didn't set a parameter correctly
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com