Administer > Database Administration > Attachments > Support for blocking attachments with certain file extensions

Support for blocking attachments with certain file extensions

To prevent potentially dangerous attachment files from being submitted to Service Manager, Service Manager provides support for blocking certain types of attachments submitted through the Windows and web clients, as well as through web services, based on a pre-defined list of forbidden file extensions.

At startup, the web tier and the Windows client retrieve the forbidden list, which is stored in the extensionstate table in the database; if no list is available, the clients use a default list of forbidden file types stored on the client side (see Default forbidden list of attachment file extensions). The clients block attachments as follows:

  • When users attempt to attach a file whose extension is in the forbidden list to a record , the clients disallow attaching of the file and display an error (where <filetype> is the file extension): "File type: <filetype>, is not allowed as an attachment."

  • If the clients retrieve an existing attachment whose extension is included in the forbidden list, the clients append ".UNSAFE" to the file name to prevent the file from being automatically ‘run’ on the user’s machine.

During web services processing, if a transaction submits or retrieves a file as an attachment whose extension is included in the forbidden list, the server appends “.UNSAFE” to the submitted or retrieved file name.

System Administrators can add, delete, and update records in the extensionstate table to customize the forbidden list of attachment file extensions. For details, see Customize the forbidden list of attachment file extensions.

If a search engine is installed and connected to the system, System Administrators also need to update the sclib knowledgebase records, to include .unsafe to the list of file extensions that should be skipped for knowledgebase indexing. See Add .unsafe to the list of file extensions to skip for knowledgebase indexing.

Additional protection from the web client side

The web client provides additional protection using a so-called "whitelist" to control what types of attachments are allowed to be submitted to Service Manager. From the web client, you can submit only attachments whose file types are in this whitelist. In the out-of-box system, this whitelist includes the following file types, which are considered safe:

  • bmp
  • jpg
  • jpeg
  • png
  • gif
  • txt
  • log
  • unl
  • csv

This whitelist is defined in the web tier configuration file (web.xml) as shown below (see the four "allowed" parameters highlighted in bold). You can adjust the list at your own risk. 

<servlet>
    <description>File Upload Servlet.</description>
    <display-name>File Upload Servlet</display-name>
    <servlet-name>FileUpload</servlet-name>
    <servlet-class>com.hp.ov.sm.client.webtier.FileUploadServlet</servlet-class>
    <init-param>
      <param-name>allowed</param-name>
      <param-value>bmp,jpg,jpeg,png,gif,txt,log,unl,csv</param-value>
    </init-param>
  </servlet>
  <servlet>
    <description>Image Upload Servlet.</description>
    <display-name>Image Upload Servlet</display-name>
    <servlet-name>ImageUpload</servlet-name>
    <servlet-class>com.hp.ov.sm.client.webtier.FileUploadServlet</servlet-class>
    <init-param>
      <param-name>allowed</param-name>
      <param-value>bmp,jpg,jpeg,png,gif</param-value>
    </init-param>
    <init-param>
      <param-name>success</param-name>
      <param-value>../imageUploaded.jsp</param-value>
    </init-param>
  </servlet>
  <servlet>
    <description>Attachment upload servlet</description>
    <display-name>Attachment Upload Servlet</display-name>
    <servlet-name>AttachmentUpload</servlet-name>
    <servlet-class>com.hp.ov.sm.client.webtier.FileUploadServlet</servlet-class>
    <init-param>
      <param-name>allowed</param-name>
      <param-value>bmp,jpg,jpeg,png,gif,txt,log,unl,csv</param-value>
    </init-param>
    <init-param>
      <param-name>success</param-name>
      <param-value>../attachmentUploaded.jsp</param-value>
    </init-param>
  </servlet>
  <servlet>
    <description>Attachment upload servlet for AJAX request</description>
    <display-name>Attachment Upload Servlet for AJAX request</display-name>
    <servlet-name>AttachmentUploadAjax</servlet-name>
    <servlet-class>com.hp.ov.sm.client.webtier.FileUploadAjaxServlet</servlet-class>
    <init-param>
      <param-name>allowed</param-name>
      <param-value>bmp,jpg,jpeg,png,gif,txt,log,unl,csv</param-value>
    </init-param>
  </servlet>
  <servlet>
    <description>Unique attachment upload servlet</description>
    <display-name>Unique Upload Servlet</display-name>
    <servlet-name>UniqueUpload</servlet-name>
    <servlet-class>com.hp.ov.sm.client.webtier.FileUploadServlet</servlet-class>
    <init-param>
      <param-name>allowed</param-name>
      <param-value>bmp,jpg,jpeg,png,gif,txt,log,unl,csv</param-value>
    </init-param>
    <init-param>
      <param-name>success</param-name>
      <param-value>../uniqueUploaded.jsp</param-value>
    </init-param>
  </servlet>
ClosedClick here to show or hide links to related topics.

Related concepts

Attachments

Related references

Parameter: attachmentsegmentsize
Default forbidden list of attachment file extensions

Related tasks

Customize the forbidden list of attachment file extensions

Send Help Center feedback