23 Upload and Download Security (Release 9.1 Update 2.2)

This chapter contains the following topics:

23.1 Understanding Upload and Download Security

JD Edwards EnterpriseOne provides security that limits the types of files users can upload and download in EnterpriseOne. Upload security prevents users from uploading file types that might contain unknown or malicious content that can harm the system. Download security restricts users from opening files from EnterpriseOne, unless the files are system-generated files such as reports, UBE definitions, and report templates, or are files attached to media objects through the image media object queue.

23.2 Configuring Upload Security

In EnterpriseOne, there are two lists the system uses to identify the types of files that users are allowed to upload: a system-defined inclusion list and a user-defined inclusion list. Each inclusion list contains the allowed file types, which are identified by their extensions. If a file type is not in an inclusion list, it cannot be uploaded in EnterpriseOne. An administrator can modify the user-defined inclusion list.

23.2.1 System-Defined Inclusion List

EnterpriseOne has a system-defined inclusion list that identifies the types of files that EnterpriseOne users can upload by default. The system-defined inclusion list has a predefined extension and cannot be modified.

The following table lists the system-defined file types that users are allowed to upload in EnterpriseOne:

EnterpriseOne Component Allowed File Types
EnterpriseOne Page Design— import of files for rendering the home.html jar, zip
EnterpriseOne Pages Import jar, zip
One View Reporting Import jar, zip
Application grid csv, txt, xls, xlsx, xlt, xltx
XMLP pdf, rtf, xlf, xls, xml, xsl
MailMerge rtf

23.2.2 User-Defined Inclusion List

EnterpriseOne provides a user-defined inclusion list that identifies the file types that users can upload in EnterpriseOne. The list contains a pre-defined list of file types, which administrators can modify at their discretion.

The user-defined inclusion list is made up of four settings in the [UPLOAD] section in the Runtime settings of the jas.ini file. You can access and update these settings in the "Upload Inclusion List" section in Server Manager, as shown in the example below:

Figure 23-1 Upload Inclusion List Settings in Server Manager

Description of Figure 23-1 follows
Description of ''Figure 23-1 Upload Inclusion List Settings in Server Manager''

Use the following settings to specify the file types users can upload in EnterpriseOne:

  • Default Extension List (AllowDefaultFileExt in jas.ini file)

    Use this setting to identify the files types users are allowed to upload in EnterpriseOne tools other than Media Objects and EnterpriseOne Pages. The default values are csv, dip, doc, docx, dot, dotx, log, pdf, stg, txt, xls, xlsx, and xlt.

  • E1Page Content File-Extension List (E1PageContentExtensionList in jas.ini file)

    Use this setting to identify the file types users are allowed to upload in EnterpriseOne pages. The default values are asp, bmp, css, dat, dip, gif, htm, html, ico, img, jfif, jpe, jpeg, jpg, js, mf, pdf, png, svg, tif, tiff, and xml.

  • Mail Merge Extension List

    Use this setting to identify the file types users are allowed to upload in MailMerge Workbench. The default values are doc, docx, dot, dotx, pdf, rtf, and xml.

  • Media Object Extension List (AllowMOFileExt in jas.ini file)

    Use this setting to identify the file types users are allowed to upload in Media Objects. The default values are csv, dip, doc, docx, dot, dotx, log, pdf, stg, txt, xls, xlsx, and xlt.

See the JD Edwards EnterpriseOne Tools Server Manager Guide for more information about modifying .ini file settings.

23.2.2.1 Additional Rules and Restrictions for Uploading Files

In addition, the following rules and restrictions apply to uploading files in EnterpriseOne:

  • Files with a semicolon or colon in their name cannot be uploaded.

  • File extensions cannot have more than one extension, such as test.tst1.txt.

  • Files with no extensions can be uploaded if the user-defined inclusion list contains the value noext. This value is not included by default. An administrator must add it.

  • Image files are scanned for a valid image file signature.

  • Image files found to have embedded zip or jar files cannot be uploaded.

  • When uploading zip files, EnterpriseOne scans the contents for proper file naming, allowed file types, and image file signatures.

23.3 Understanding Download Security

When downloading files from the EnterpriseOne web client on Microsoft Internet Explorer, the download dialog box shows the Save and Cancel buttons, and possibly the Open button, depending on the type of file being accessed. The Open button is available only when downloading the following types of files:

  • UBE, report definition, and report template.

    These files are generated by EnterpriseOne and are on a trusted server.

  • Media object files that are attached as a file attachment from the image media object queue.

    You can open these file attachments because the image queue is on a trusted server and an administrator places the files in the image queue. This allows users to view these attachments (such as logs, PDFs, and so forth) in the Media Object Viewer.

Mozilla Firefox and Google Chrome have a built-in feature for saving files. If an EnterpriseOne user opens any of the aforementioned files in one of these browsers, the browser automatically saves the file to a "Download" folder. This enables users to open the file from the Download folder on the client machine.