2 Replies Latest reply on Dec 22, 2011 2:17 AM by gardenhead_rules

    Dissecting Multipart/form-data

      Hello,

       

      I have a Webwasher 7.1.6 appliance. I am trying to create a rule that can help me block exe uploads on my mail server. The media-type (detected) of these uploads is multipart/form-data.

       

      Right now the property I am using is : Mediatype.EnsuredType== multipart/formdata then block.

       

      However the appliance doesn't distinguish any further than that (is the form-data uploaded application/exe, image/jpeg etc.). I went through the available discussions on this topic, and got the idea that Mime headers may accomplish this. Particularly I want to drill to the highlighted piece of header.

       

      upload_header.bmp

       

      Regards,

      Ankit

        • 1. Re: Dissecting Multipart/form-data
          alexott

          Hi

           

          This is standard functionality - you can use standard Media type rules to do this, but you'll need to enable Composite Openers to detect mime types of parts for multipart/form-data.

          To do this with standard rules, you need to go to ruleset "Media type filtering", there is another ruleset "Upload media type" there. There is rule "Block types from list 'Upload media type blocklist'" - just add types that you want to block to this list, and make sure that you enabled rule itself. This method is more reliable than blocking using data from headers.

          This works follwoing way:

          • When we receive POST request, we see that this is multipart/form-data
          • If composite openers are enabled, then we call corresponding handler and start to extract data from POST
          • Each extracted object is passed through policy (in embedded cycle), so you can check each object separately and block it, if it match to our condition

           

          But if you want, you can do the same by checking mime headers of form parts - you need to enable composite openers, so we can extract  data from form, and then use property Body.MimeHeaderValue if you want to get value of mime header (image/bmp for Content-Type, for example) or Body.MimeHeaderParameterValue to get value of header's parameter ("Proxy_listening.bml", for parameter "filename" of header "Content-Disposition", for example)

           

          Message was edited by: alexott on 22/12/11 08:55:58 CET
          • 2. Re: Dissecting Multipart/form-data

            Hi Alexott,

             

            Thanks for the quick reply, I tried the former solution and it worked perfectly.

             

            Regards,

            Ankit