Security configuration of attachments

Security configuration of attachments, www.askhareesh.com

File Upload Limits for Attachments:

 --> Set Profile: Upload File Size Limit (UPLOAD_FILE_SIZE_LIMIT)
  • Limits the maximum Attachment file size that can be uploaded
  • Specified in KB (e.g. 2000KB)
--> Allowing unlimited attachment sizes can allow for a Denial of Service attack (DOS)

 Attachments file type extension validation:

 --> Set Profile: Attachment File Upload Restriction Default
  • Yes (default): Black list behavior – Disallow types marked as ‘N’
  • No (recommended): White list behavior – Only allow types marked as ‘Y’
--> Validate attachments file type extensions
  • New column - FND_MIME_TYPES. ALLOW_FILE_UPLOAD – values N & Y
This was Delivered as part of January 2012 CPU

 Tag scanning of HTML Attachments:

 --> Set Profile: FND: Disable Antisamy Filter
  • False (default / recommended) – sanitize HTML pages
--> OWASP Antisamy – allows a specific (white list) of HTML elements and attributes
  • Error Message if uploaded HTML file was modified


       Posted by Follow us on Facebook | Twitter | Youtube | Google+
*/

1 comment: