How to Block the Signature for HTML Forms File Upload

HTML forms in a Web page allow the collection of user information. RFC 1867 defines a number of extensions that allow users to submit files with HTML forms. Forms are often processed so that submitted files are uploaded and stored on the disk of the Web server.

The RFC extends the input types and attributes that are necessary for a file upload feature, including:

  • Adds a FILE option for the TYPE attributes of the HTML INPUT tag.
  • Allows an ACCEPT attribute for the INPUT tag, which is a list of media type or type patterns allowed for the input.
  • Defines a new MIME type: multipart/form-data, and specifies the behavior of HTML user agents when interpreting a form with ENCTYPE="multipart/form-data", and/or <INPUT type="file"> tags.

For example, the author of an HTML form might use the following to request one or more files from a user (example from RFC).

FORM ENCTYPE="multipart/form-data" ACTION="_URL_" METHOD=POST>

File to process: <INPUT NAME="userfile1" TYPE="file">

<INPUT TYPE="submit" VALUE="Send File">

</FORM>

For more detailed information, see RFC 1867: Forms-based File Upload in HTML.

Typically, when a browser encounters an INPUT tag of type FILE, it allows users to specify a file, and provides a Browse button for file selection. When the form is submitted, file contents are included in the data sent, as defined by the specification of the multipart/form-data data type (data format, data encoding).

Blocking HTML Forms-Based Upload

Although file submission with HTML forms is a useful feature, it can present risks when files are passed from the corporate network to the Internet. To control how internal users are uploading files in HTML forms, you can configure access rules to block such file uploads.

To block the HTML forms file upload signature, follow these steps:

  1. In the console tree of ISA Server Management, click Firewall Policy:
    • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Firewall Policy.
    • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Firewall Policy.
  2. In the details pane, click the access rule that allows traffic from the source for which you want to block HTML form file uploads.
  3. On the Tasks tab, click Edit Selected Rule.
  4. On the Protocols tab, click Filtering, and then click Configure HTTP.
  5. On the Signatures tab, click Add.

Cc302655.a4e467bd-3c33-4c47-8a0e-325b1f40e505(en-us,TechNet.10).gif

  1. In the Signature dialog box, do the following:
    • In Name, specify a name to identify the signature.
    • In Description, optionally type a description to help you easily identify the signature.
    • In Search in, click the drop-down list, and select Request headers.
    • In HTTP header, type Content-Type:.
    • In Signature, type multipart/form-data.
  2. Click OK to close the Signature dialog box.
  3. Click OK to close the Configure HTTP policy for rule dialog box.
  4. Click Apply to apply the firewall policy change.

Additional Information

For more information about other signatures that you may want to block, see Common Application Signatures at the Microsoft TechNet Web site.

For more information about filtering access rules, see HTTP Filtering in ISA Server 2004 at the Microsoft TechNet Web site.