How To Add an Attachment File Type - Post CP4

Document ID : KB000028763
Last Modified Date : 14/02/2018
Show Technical Document Details
The following has been included with CP4:
 
There are two levels of security for verifying the file types for attachments.
 First level will check the extension of the file that
is getting uploaded. We can configure the list of extensions that can be
uploaded to Catalog at ESAPI.properties (under ApprovedUploadExtensions
property) file located at USM_HOME\view\conf. This layer will screen the
unwanted file extensions.
 
In second level we will actually validate the content that is getting
uploaded into the system. Even if an attacker changes the file extension to
a valid value and try to upload some malicious content into the system, we
will prevent that using the concept of magic numbers. Every file content
type can be identified with the help of first few bytes which signifies the
type of data being uploaded. We introduced a new properties file called
FileTypeSignatures.properties located at USM_HOME\view\webapps\usm\conf,
which stores the map between the invalid file extensions and their
corresponding magic number values. Before uploading a file into the
Catalog, the system will validate the content using this data.
Please note that the FileTypeSignatures.properties file should contain
list of all the file extensions that has to be blocked by Catalog system.
Please note that ESAPI.properties and FileTypeSignatures.properties
were included in this patch and these files will be replaced in your
environment once you install the patch. These files contain default
property values as defined by the Service Catalog system.
 
The following is an example to allow .xlsx files:
 
-Added ',.xlsx' to 'HttpUtilities.ApprovedUploadExtensions' within
%USM_HOME%\view\conf\ESAPI.properties
-Removed the following signature from
%USM_HOME%\view\webapps\usm\config\FileTypeSignatures.properties (as this
was the signature used for the .xlsx I was testing with and as per
http://en.wikipedia.org/wiki/List_of_file_signatures the signature may be
the same for zip/jar/xlsx):
 
50 4B 03 04
 
-Recycled Catalog service