EnterWorks services on all servers can check if you are uploading a svg/html files that
could lead to XSS. The servers now validates the file extension and only allows specific
files to be uploaded. To do so,
- Compare the file extension of the uploaded file to the allowable extensions stated in the File Extension Codeset.
- Check for double extensions such as .
php.png. If a file with a double extension is identified, prevent the upload and notify the user.
This utility is dependent on configuration settings and is initially disabled on the server. It can be enabled using the two Shared Configurations listed below:
- dam.config.restrictFileExtensions: Determines whether to limit file extensions to those specified in the File Extension Codeset. By default, the property is set to false.
- dam.config.restrictDoubleExtensions: Determines whether double extension files are permitted or restricted. By default, the property is set to false.
Note: If a file placed in the DAM Drop folder does not meet the
criteria such as ( invalid extension, double extension), it will be removed without
further processing.
After making changes to the sharedConfig.properties files, clear the
cache in the EPIM database and restart all EnterWorks services to apply the changes
effectively. For more information on how to edit the shared configurations, refer Edit Shared Configuration Properties