Configuring document management security
Specify server-side configuration options in the 100Custom.xml file to restrict file uploads and downloads by MIME type in a document list coach view.
About this task
- Malicious files, such as viruses, might be uploaded by users and shared with other users.
- Because browsers attempt to render or even execute files of specific MIME types automatically, a user might upload JavaScript files and execute them in an other user's browser when trying to display a document.
The default configuration acts as a blacklist for the text/html MIME
type and maps it to the text/plain MIME type. To
further restrict file uploads and downloads by MIME type, include
the following server-side configuration options in the 100Custom.xml file:
- document-attachment-accepted-mime-types
- This option allows a whitelist of MIME types to be specified. MIME types included in the list will be allowed for upload, while all other MIME types will be blocked from upload.
- document-attachment-download-mime-types
- This option allows a blacklist of MIME type mappings to be specified. Each MIME type mapping allows for a conversion to be made from a specific MIME type to a specific MIME type upon download.
Note: Providing a configuration in the 100Custom.xml file
overrides the default configuration. As a result, for text/html to
remain on the blacklist, you must add it explicitly to the 100Custom.xml file.
For
example:
<server>
<!-- mime type white list which specifies mime types accepted for -->
<!-- upload to document list or document attachment -->
<document-attachment-accepted-mime-types>
<!-- specifies whether to allow a null mime type for upload -->
<allow-null-mime-type>false</allow-null-mime-type>
<!-- lists the mime types allowed for upload -->
<mime-type>text/plain</mime-type>
<mime-type>img/png</mime-type>
</document-attachment-accepted-mime-types>
<!-- mime type black list which specifies mappings from unacceptable -->
<!-- mime types to acceptable mime types for download from -->
<!-- document list or document attachment -->
<document-attachment-download-mime-types>
<!-- will map text/html mime type to text/plain mime type -->
<mime-type-map>
<from>text/html</from>
<to>text/plain</to>
</mime-type-map>
<!-- missing <to> element implies mapping to content/octet-stream -->
<mime-type-map>
<from>application/pdf</from>
</mime-type-map>
</document-attachment-download-mime-types>
</server>
Procedure
- Determine your document attachment security requirements by evaluating any additional desired restrictions on MIME types for upload or download. For example, you might want to rewrite a number of MIME types, such as those used for PDF files, to application/octet-stream.
- Add the default configuration above to your 100Custom.xml file, and augment this configuration with your additional settings. Refer to The 99Local.xml and 100Custom.xml configuration files.
- Restart your environment and test.