Allow or Deny http upload file by extension

Question

Hi! Is there any way to force in a Web Application that only some specific file extentions can be uploaded using Form-based File Upload (RFC 1867)?  Using this way, the file is not uploaded in an http parameter, they are uploaded in the body of the http POST using MIME... thanks!

hooleylist · Answer

ASM should still parse the parameters and values in a multipart/form-data based upload request. 
&nbsp;  
&nbsp; You could configure an object for the page which receives the POST request (something like /path/to/upload.html) and a parameter (probably named "filename") on the object.  You can configure the filename parameter using a regex like ^.*\.(txt|doc|html)$.  This would allow a client to submit a request with the filename parameter set to anything ending in .txt .doc or .html.  Any other filename would trigger a violation on the parameter not matching the regex.  Note that this doesn't restrict the actual content a client uploads--just the filename they use when uploading the file. 
&nbsp;  
&nbsp; Aaron

hooleylist · Answer

Can you post an anonymized copy of the request? 
&nbsp;  
&nbsp; Thanks, 
&nbsp; Aaron

fpieressa · Answer

Of course, here you have, thanks! 
&nbsp;  
&nbsp; POST /uploader.php HTTP/1.1 
&nbsp; Host: 192.168.1.128 
&nbsp; User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9 
&nbsp; Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
&nbsp; Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3 
&nbsp; Accept-Encoding: gzip,deflate 
&nbsp; Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 
&nbsp; Keep-Alive: 300 
&nbsp; Connection: keep-alive 
&nbsp; Referer: http://192.168.1.128/upload.php 
&nbsp; Content-Type: multipart/form-data; boundary=---------------------------24464570528145 
&nbsp; Content-Length: 842 
&nbsp;  
&nbsp; -----------------------------24464570528145 
&nbsp; Content-Disposition: form-data; name="MAX_FILE_SIZE" 
&nbsp; 100000 
&nbsp;  
&nbsp; -----------------------------24464570528145 
&nbsp; Content-Disposition: form-data; name="uploadedfile"; filename="borrar1.pl" 
&nbsp; Content-Type: text/x-perl 
&nbsp;  
&nbsp; !/usr/bin/perl 
&nbsp;  
&nbsp;   print "hola
"; 
&nbsp;   ... 
&nbsp; -----------------------------24464570528145--

hooleylist · Answer

In just about every multipart form upload request I've seen (and your example) the file name the client provides is included in the filename parameter.  The RFC states it could be specified in an actual HTTP header, but I've never seen that done.  In your example, the actual data is passed in the uploadedfile parameter.  So you could configure an object of "/upload.php" and possibly two object parameters.  filename would be the one you'd restrict the file name extensions with a regex for.  If you want to allow binary content to be uploaded, you'd want to define a second parameter named uploadedfile with a type of binary (length check only). 
&nbsp;  
&nbsp; Can you try testing this to confirm it works for your scenario? 
&nbsp;  
&nbsp; Thanks, 
&nbsp; Aaron

fpieressa · Answer

Great! Applying a regex to the "filename" parameter works perfectly, I didn't understand how multipart works, thanks!

Forum Discussion

Allow or Deny http upload file by extension

6 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

WAF - Allow uploads of only files with certain extensions and block all other file uploads

F5 CIS, TLS Extensions, and troubleshooting

File upload and ASM

File Uploads and ASM

add /browerWeb Extension after domain name