randall_williams-esristaff

Someone uploaded WHAT!? through my feature service?

Blog Post created by randall_williams-esristaff Employee on Jan 12, 2014
A question was brought to Support regarding how attachment uploads to feature services can be controlled. Specifically, the user asked if there was any way to limit the uploaded media MIME types in order to prevent malicious users from uploading executable applications, scripts, or other potentially malicious items to a GIS Server.

While ArcGIS for Server cannot control the actual content that is uploaded, it can control the MIME types (essentially the file extensions) and file sizes allowed to be uploaded as attachments to a feature service.

The workflow is formally described here in the ArcGIS for Desktop 10.2 help documentation, but it is not central in the ArcGIS for Server documentation. To that end, and because controlling this facet of ArcGIS for Server isn't discussed often, I wanted to highlight this option.

To make these edits, an ArcGIS for Server administrator can leverage the Administrator API. Settings for maximum upload size and allowed upload types are configurable on a per-service basis, and are not global changes. This allows for flexibility when deploying services for use with various applications.

By implementing maxUploadFileSize and allowedUploadFileTypes limits, an administrator can better control the content uploaded to an attachment enabled feature service.

Outcomes