Restricting users from uploading and viewing files with specific extensions

You can restrict  users from uploading and viewing files with specific extensions in . This restriction can help prevent users from uploading malicious attachments and viewing them.

To restrict attachments

1. In a browser, open the AR System Administration Console, and click System > General > Server Information.
   The AR System Administration: Server Information form appears.
2. Click the Attachment Security tab as shown in the following figure.
   
   

3. Enter the attachment options that you need, and click Apply.
   The following table describes the available options.
   
   

   Field name	Description
   Attachment criteria	Allow all attachments—No restrictions on uploading attachments Allow attachments with the following extensions—Upload attachments with extensions listed in the Comma-separated list of limit extensions. Default values — JSP, SVG, HTML, HTM, JSPX, XHTML, SHTML, HTACCESS, PHTML, SWF, XHT, XSL, SVGZ, JS, HTML5  Disallow attachments with the following extensions—Do not upload attachments with extensions listed in the Comma-separated list of limit extensions. All other attachments are allowed. Important If you disallow attachments with specific extensions, this impacts all the features that have attachments. For example, Import Export features or email attachments. To avoid this, you can add a related exception form to the Attachment exception list. For example, For executing a UDM job if the attachment extension is disallowed, add DMT:ErrorException form in the Attachment exception list.
   Comma-separated list of limit extensions	Attachment extensions that are allowed or not allowed, based on the Attachment criteria selected.
   Attachment exception list	The list of Form names (field ID) for which attachment limitations do not apply—for example, Data Visualization Module (3450298). If the user uploads an attachment in the form fields specified in the attachment exception list, these fields are not validated and the attachments are uploaded without verification in the fields.
   Attachment validation plugin name	The out-of-the-box ARSYS.ARF.SECURITY.ATTACHMENTVALIDATION plug-in performs real-time attachment scanning by using the ClamAV antivirus. View the failure logs by using the Attachment Scan Failure Report form. The following screenshot shows the Attachment Scan Failure Report form:
   Attachment virus scan exception list	Configure a comma-separated exception list that consists of forms and form field IDs or record definitions and field IDs to skip antivirus scanning for a given list. You can configure the exception list when you set a value for the Attachment validation plugin name field. For example: "com.sample.DemoApp:MyDoc(10001)", "HPD:Helpdesk(10001)"
   Display criteria	Allow display of all attachments—Users can view all the attached files by clicking the Display button in the Attachments pool. Allow display of attachments with the following extensions—Users can view attached files that have extensions specified in Comma separated list of display extensions. Disallow display of attachments with the following extensions—Users cannot view attached files that have extensions specified in Comma separated list of display extensions. All other attachments are allowed. Default values — JSP, SVG, HTML, HTM, JSPX, XHTML, SHTML, HTACCESS, PHTML, SWF, XHT, XSL, SVGZ, JS, HTML5   Disallow display of all attachments—Users cannot view any attachment.  The display criteria are applied to all the existing extensions in the  application.
   Comma separated list of display extensions	Lists the attachment extensions that you want to allow or not, based on Display criteria.

Attachments flowchart

The following flowchart helps you understand the attachment security based on the options that you select from the Attachment criteria list.

Attachment security flowchart

Scenarios for restricting attachments

The following table lists examples of parameter values for requests that include attachments:

To disable users from viewing the content of specific types of files

1. In a browser, open the AR System Administration Console, and click System > General > Server Information.
   The AR System Administration: Server Information form appears.
2. Click the Attachment Security tab, shown in the following figure.
   
   
3. Enter the display options that you need, and click Apply.
   For any particular attachment that you want to view, the Display button in Remedy Mid Tier or the Display menu command in the Remedy User Tool is enabled only if Display criteria enable you to view that attachment. For all other attachments, the Display button or menu command is dimmed

Defining a custom plug-in

Define a custom plug-in

You can choose to define a custom plug-in for real-time attachment scanning.

You can develop the plug-in for performing functions like verifying the attachment containing malicious content, verifying whether the attachment is a virus, verifying whether the user has changed the extension for uploading the attachment, and so on.

An example custom plug-in might be named EXAMPLE.ARF.SIMPLE.

If you are using a C plug-in, add the .dll/.so path in the ar.cfg or ar.conf file in the following format to load the plug-in: Plugin: <CompletePath>/myplugin.dll

The custom validation plug-in must be a Filter API plug-in, which has only one API. Following is the prototype for the API:

void ARFilterApiCall(void *object, ARValueList *inValues, ARValueList *outValues, ARStatusList *status)

• object—Name of the object
• inValues—Indicates that it has only one value, which is of attachment type 
• outValues—Indicates that it has only one value, which is of attachment type only when the status is a warning; otherwise, the value is Null
• status—Indicates the status of the attachment validation (OK, Warning or Error). If the status is Warning, the outValue is used for saving attachment data