Set Allowed MIME Child Types [New in Security Center 2.0]
Learn how to configure the glide.security.mime.type.allowed_child_types property to a secure setting so that file types will not pass the Multipurpose Internet Mail Extensions (MIME) type checking. This reduces the risk of remote code execution on an uploaded file.
The glide.security.mime.type.allowed_child_types property defines the MIME file types that may have a file extension not matching the data within an uploaded file. This allows such file types to bypass MIME type checking. The property accepts a comma-separated list of file type pairs, such as application/zip=application/java-archive. In this example, if the property is set to such a value, files with a .zip extension that are technically .jar files are allowed to pass MIME type checking despite the inconsistency. If not set properly, this bypass can lead to remote code execution of an uploaded file. Therefore, it should always be set to an empty string ("") unless a valid use case arises. For instance, if a certain MIME type must be allowed under a different file extension and is valid as per the Tika configuration, then those key-value pairs will be updated as part of this property value.
More information
| Attribute | Description |
|---|---|
| Configuration name | glide.security.mime.type.allowed_child_types |
| Configuration type | System Properties (/sys_properties_list.do) |
| Data type | string |
| Recommended value | "" |
| Default value | "" |
| Category | File and resources |
| Security risk |
|
| Dependencies and prerequisites | Yes, when glide.security.mime.type.detection.allow_child_types is set to true, the values of this property will be used to validate against the configured list of allowed MIME child types. |
| Functional impact | To support MIME types whose file extensions do not match the content of the files but are valid according to the Tika sub-type configurations in tika-mimetypes.xml. |