How the File Upload Servlet and Attachment Upload Servlet be de-activated in web.xml

The functionality for File Upload Servlet, as well as Attachment and Image Upload servlet does not match the table extensionstate, and it requires maintaining this list in addition to maintaining the extensionstate table.

The idea with the allowed extension is to provide additional protection using a so-called “white list”. From the web client, you can submit only attachments whose file types are in this whitelist.

The extensionstate on the other hand, is meant to manage the restrictions, so the “black list”. So actually the File, Image and Attachment Upload Servlet Parameters complement the protection of the table. At startup, the web tier and the Windows client retrieve the forbidden list, which is stored in the extensionstate table in the database; if no list is available, the clients use a default list of forbidden file types stored on the client side. With the new feature you can limit what can be submitted from web client, while you might allow other file types added from Windows client or web services, if they are not restricted in the extensionstate table.

The functionality cannot be disabled directly as there is no switch parameter provided. The fast way is to remove the whole xml label including “allowed” as follows
<init-param>
<param-name>allowed</param-name>
<param-value>bmp,jpg,jpeg,png,gif</param-value>
</init-param>

If this is done, the files with any file types not restricted in the extensionstate table will be allowed to upload, so disabling this functionality you take the risk.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s