Blacklisting

M_iA
Kilo Sage

Hello! Excuse my ignorance on this topic, but what is the difference between the 2 properties:

glide.attachment.blacklisted.extensions - Blacklisted Extensions

glide.attachment.blacklisted.types - Blacklisted File Types

Many thanks

1 ACCEPTED SOLUTION

Community Alums
Not applicable

Hi @M.iA ,

glide.attachment.blacklisted.extensions Restrict upload (Insert/Write/Update) operation of attachments with questionable file extensions.

glide.attachment.blacklisted.types Restrict upload (Insert/Write/Update) operation of attachments with questionable file types. Example : text/html.

So, If you Restrict the attachments completely then go with glide.attachment.blacklisted.extensions and If you just want a Particular type of attachments then go with glide.attachment.blacklisted.type

Glad to see my answer helped You. 
Kindly mark the applicable answer as Correct & Helpful both such that others can get help.

Thanks,
Sandeep

View solution in original post

3 REPLIES 3

Community Alums
Not applicable

Hi @M.iA ,

When you enable exclusion list validation in the Now Platform, use the glide.attachment.blacklisted.extensions property to create a comma-delimited list of restricted uploadable file extension types. Uploading of the specified file extension types is restricted.

Prerequisites

Set this property before setting the glide.security.attachment_type.use_blacklist property to true. To learn more, see Enable blacklist for attachments.

More information

 
Attribute Description
Property name glide.attachment.blacklisted.extensions
Configuration type System Properties (/sys_properties_list.do)
Configure in Instance Security Center Yes
Purpose Restrict upload (Insert/Write/Update) operation of attachments with questionable file extensions.
Type String
Recommended value User specified file extensions. Common examples include ex, dll, xslx.
Functional impact (Low) No functionality impact unless there is an attempt to upload any file extension that is specified under this property.
Security risk (Medium) A malicious user can upload malware infected attachment with common executable file extensions.
Workaround Properties are available in base system functionality that address the same issue, with inclusion listing instead of exclusion listing. To learn more, see:

 

When the exclusion list validation is enabled in the Now Platform, use the glide.attachment.blacklisted.types property to create a comma-delimited list of restricted uploadable file types. Uploading of the specified file types is restricted.

Prerequisites

Set this property before setting the glide.security.attachment_type.use_blacklist property to true. To learn more, see Enable blacklist for attachments.

More information

 
Attribute Description
Property name glide.attachment.blacklisted.types
Configuration type System Properties (/sys_properties_list.do)
Configure in Instance Security Center Yes
Purpose Restrict upload (Insert/Write/Update) operation of attachments with questionable file types. Example : text/html.
Recommended value Some Defined File Types (For example: text/html,text/csv).
Functional impact (Low) No functionality impact unless there is an attempt to upload any file type that is specified under this property.
Security risk (Medium) A malicious user can upload malware infected attachment with common executable file types.
Workaround Properties are available in base system functionality that address the same issue with inclusion listing rather than with exclusion listing. To learn more, see:

To learn more about adding or creating a system property, see Add a system property.

Mark my answer correct & Helpful, if Applicable.

Thanks,

Sandeep

Hi @Sandeep Dutta ,

Thanks for the info. But to clarify, if I wanted to blacklist csv for example, would I need to add it to both as based on the above, it would be a file type and an extenstion.

I want to blacklist .PHP files. My go to would have been in the extention property, but wondering whether it needs to go in the type property too!

Community Alums
Not applicable

Hi @M.iA ,

glide.attachment.blacklisted.extensions Restrict upload (Insert/Write/Update) operation of attachments with questionable file extensions.

glide.attachment.blacklisted.types Restrict upload (Insert/Write/Update) operation of attachments with questionable file types. Example : text/html.

So, If you Restrict the attachments completely then go with glide.attachment.blacklisted.extensions and If you just want a Particular type of attachments then go with glide.attachment.blacklisted.type

Glad to see my answer helped You. 
Kindly mark the applicable answer as Correct & Helpful both such that others can get help.

Thanks,
Sandeep