Validate file mime type in AttachmentCreator soap web service [New in Security Center 1.3 and updated in 1.5]

  • Release version: Xanadu
  • Updated February 1, 2024
  • 1 minute to read

    • The glide.attachment.enforce_security_validation property determines whether Multipurpose internet Mail Extensions (MIME) files undergo validation.

    If glide.attachment.enforce_security_validation is not set to the recommended value of true, then there is no validation for MIME files, enabling malicious files to be uploaded with incorrect file extensions. When this property is set to true, files are uploaded with the correct file type extension.

    More information

    Attribute Description
    Configuration name glide.attachment.enforce_security_validation
    Configuration type System Properties (/sys_properties_list.do)
    Data type Boolean
    Recommended value true
    Default value true
    Category File and resources
    Security risk
    • Severity score: 7.5
    • CVSS score: High
    • Security risk details: If the property is set to false, there’s no validation for MIME files during uploads. This could enable malicious files to be disguised by changing their file extension.
    Dependencies and prerequisites None
    References https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types
    Functional impact Set this hardening setting to true to run mime-type and file extension validations on uploaded file attachments. No validations are run if this property is set to false. This property is set to true by default.