Configuring T&A Web file upload restrictions

Karishma Updated by Karishma

Overview

File upload restrictions are introduced in Controlled Release 8.38.5.0 (29 November 2023) to make the application more secure.

Configuration

Three new settings are available to control the restrictions in the <configuration><appSettings> section of Web.config file (located in the web application root directory):

Name

Description

Default value and notes

UploadFileSizeLimit

File size limit in bytes.

A user request to upload a file larger than this within T&A Web will be blocked.

10000000 (10MB)

WhiteListExtensions

White list of allowed file extensions.

A user request to upload a file with an extension not on this list will be blocked.

txt,doc,docx,pdf,xls,xlsx,rtf,gif,csv,jpeg,jpg,

png,pps,ppt,pptx,ods,odt,wpd

(Common document and image extensions)

You can set value * to allow all file types.

WhiteListMimeTypes

MIME types restriction.

If user’s web browser sends request to upload a file using MIME type not on this list then it will be blocked.

Note: MIME types used by web browsers can differ depending on client configuration.

text/plain,application/pdf,application/rtf,image/jpeg,image/

gif,image/png,text/csv,application/msword,application/

vnd.openxmlformats-officedocument.wordprocessingml.document,application/

vnd.ms-excel,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet,application/

vnd.ms-powerpoint,application/vnd.openxmlformats-officedocument.presentationml.presentation,application/

vnd.oasis.opendocument.spreadsheet,application/

vnd.oasis.opendocument.text,application/vnd.wordperfect

(Common document and image MIME types)

You can set value * to allow all file types.

For upgrades, these new settings should be copied in as directed in the Upgrade Guide (or by copying from example Web.config file supplied in the release), and configured as required.

If the new settings are not copied into Web.config (or are otherwise not present), then default values will be used as listed above.

Example

Extract showing relevant parts in default Web.config file ('…' indicates redacted content):

...

<configuration>

...

<appSettings>

...

<!--File size limit in bytes for file upload-->

<add key="UploadFileSizeLimit" value="10000000" />

<!--Valid file extension for file upload (When allowing all file type extension, set the value to "*".)-->

<add key="WhiteListExtensions" value="txt,doc,docx,pdf,xls,xlsx,rtf,gif,csv,jpeg,jpg,png,pps,ppt,pptx,ods,odt,wpd" />

<!--Valid mime type for file upload (When allowing all mime types, set the value to "*".)-->

<add key="WhiteListMimeTypes" value="text/plain,application/pdf,application/rtf,image/jpeg,image/gif,image/png,text/csv,application/msword,application/vnd.openxmlformats-officedocument.wordprocessingml.document,application/vnd.ms-excel,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet,application/vnd.ms-powerpoint,application/vnd.openxmlformats-officedocument.presentationml.presentation,application/vnd.oasis.opendocument.spreadsheet,application/vnd.oasis.opendocument.text,application/vnd.wordperfect" />

...

Was this article useful?

Increase session idle timeout

Contact