Self-Solve Knowledge Search

Minimize Maximize
Additional protection with file extensions from the web client side
Title :
Additional protection with file extensions from the web client side
Document ID :
KM02029529
Product - Version:
service manager 9.35 ;
OS :
Updated :
Mon Dec 21 08:56:51 GMT 2015
Summary :
Feature in web client side to block attachments with certain file extensions

Service Manager (SM) introduced "whitelist" in web side from 9.35.  Please refer to 9.35 release notes on page 16: Chapter Other Enhancement > Type of files that are not allowed as attachment.

During attachment file processing on the Service Manager Web tier, it is possible to configure a whitelist (allowed list) of file extensions that may be uploaded by users.
This is an additional layer of filtering and protection that will occur at the SM Web tier before the file ever reaches the SM Server (RTE) for additional processing.

Solution

The web client provides additional protection using a so-called "whitelist" to control what types of attachments are allowed to be submitted to Service Manager. From the web client, user can submit only attachments whose file types are in this whitelist. In the out-of-box system, this whitelist includes the following file types, which are considered safe:

  • bmp
  • jpg
  • jpeg
  • png
  • gif
  • txt
  • log
  • unl
  • csv

This whitelist is defined in the web tier configuration file (web.xml) as shown below (see the four "allowed" parameters highlighted in bold). You can adjust the list at your own risk.

<servlet>
    <description>File Upload Servlet.</description>
    <display-name>File Upload Servlet</display-name>
    <servlet-name>FileUpload</servlet-name>
    <servlet-class>com.hp.ov.sm.client.webtier.FileUploadServlet</servlet-class>
    <init-param>
      <param-name>allowed</param-name>
      <param-value>bmp,jpg,jpeg,png,gif,txt,log,unl,csv</param-value>
    </init-param>
  </servlet>
  <servlet>
    <description>Image Upload Servlet.</description>
    <display-name>Image Upload Servlet</display-name>
    <servlet-name>ImageUpload</servlet-name>
    <servlet-class>com.hp.ov.sm.client.webtier.FileUploadServlet</servlet-class>
    <init-param>
      <param-name>allowed</param-name>
      <param-value>bmp,jpg,jpeg,png,gif</param-value>
    </init-param>
    <init-param>
      <param-name>success</param-name>
      <param-value>../imageUploaded.jsp</param-value>
    </init-param>
  </servlet>
  <servlet>
    <description>Attachment upload servlet</description>
    <display-name>Attachment Upload Servlet</display-name>
    <servlet-name>AttachmentUpload</servlet-name>
    <servlet-class>com.hp.ov.sm.client.webtier.FileUploadServlet</servlet-class>
    <init-param>
      <param-name>allowed</param-name>
      <param-value>bmp,jpg,jpeg,png,gif,txt,log,unl,csv</param-value>
    </init-param>
    <init-param>
      <param-name>success</param-name>
      <param-value>../attachmentUploaded.jsp</param-value>
    </init-param>
  </servlet>
  <servlet>
    <description>Attachment upload servlet for AJAX request</description>
    <display-name>Attachment Upload Servlet for AJAX request</display-name>
    <servlet-name>AttachmentUploadAjax</servlet-name>
    <servlet-class>com.hp.ov.sm.client.webtier.FileUploadAjaxServlet</servlet-class>
    <init-param>
      <param-name>allowed</param-name>
      <param-value>bmp,jpg,jpeg,png,gif,txt,log,unl,csv</param-value>
    </init-param>
  </servlet>
  <servlet>
    <description>Unique attachment upload servlet</description>
    <display-name>Unique Upload Servlet</display-name>
    <servlet-name>UniqueUpload</servlet-name>
    <servlet-class>com.hp.ov.sm.client.webtier.FileUploadServlet</servlet-class>
    <init-param>
      <param-name>allowed</param-name>
      <param-value>bmp,jpg,jpeg,png,gif,txt,log,unl,csv</param-value>
    </init-param>
    <init-param>
      <param-name>success</param-name>
      <param-value>../uniqueUploaded.jsp</param-value>
    </init-param>
  </servlet>

Please give thoughtful consideration to the list of files as the defaults may be too restrictive. This parameter specifies the allowed list of file extensions that may be attached to a SM record such as an Incident, Change, Interaction or Problem record.