| The Simple String request type in FortiWeb uses a segment-based wildcard matching logic for Request URL evaluation.
The wildcard character (*) is supported only when placed at the beginning or the end of a path, or when it matches an entire directory segment.
Supported wildcard placement examples include paths such as /*ploads/upload.php, /upload*/upload.php, or /*/upload.php.
Wildcard patterns placed inside a path segment are not supported when the Request URL Type is set to Simple String.
Examples of unsupported configurations include paths such as /u*ploads/upload.php or /up*loads/upload.php. Examples: Uploading an EICAR file to the web server. Example: curl -X POST -F file=@/home/user-a/test/eicar.exe http://192.0.2.10/uploads/upload.php Related configuration: - From GUI: Web Protection -> Input Validation -> File Security -> File Security Rule -> Request URL Type, and set the value to Simple String.
config waf file-upload-restriction-rule
edit "securityrule"
set request-type plain
set request-file /u*loads/upload.php
set file-size-limit 50000
set type Block
set enable_base64_decode disable
config file-types
edit 1
set file-type-name EXE(.exe)
set file-type-id 00126
next
edit 2
set file-type-name PHP(.php)
set file-type-id 00152
next
edit 3
set file-type-name JSP(.jsp)
set file-type-id 00153
next
edit 4
set file-type-name ASPX(.aspx)
set file-type-id 00154
next
edit 5
set file-type-name SQL(.sql)
set file-type-id 00166
next
end
config custom-file-types
end
next
end
config waf file-upload-restriction-policy
edit "test"
set av-scan enable
config rule
edit 1
set file-upload-restriction-rule securityrule
next
end
next
end
config waf web-protection-profile inline-protection
edit "test"
set file-upload-policy test
set ip-intelligence enable
set profile-id 15793176014108308509
next
end
config server-policy policy
edit "server-policy-1"
set ssl enable
set vserver vip1
set service HTTP
set web-protection-profile test
set replacemsg Predefined
set server-pool server-pool-1
set https-service HTTPS
set tls-v10 disable
set tls-v11 disable
set tls-v12 disable
set tls-v13 enable
set policy-id 13827314410337973858
config http-content-routing-list
end
set tlog enable
next
end Result:
Case 1: Request URL (set request-file) are '/u*loads/upload.php', '/up*oads/upload.php', '/upl*ads/upload.php', '/uplo*ds/upload.php', '/uploa*s/upload.php'.
Result: No match. [root@server3 ~]# curl -X POST -F "file=@/home/user-a/test/eicar.exe" http://192.0.2.10/uploads/upload.php
Saved to: /var/www/html/uploads/uploads/eicar.exe
Case 2: Request URL (set request-file) is /*ploads/upload.php.
Result: Matching.
[root@server3 ~]# curl -X POST -F "file=@/home/user-a/test/eicar.exe" http://192.0.2.10/uploads/upload.php
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">
<html><head><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, minimum-scale=1, user-scalable=0">
<style type="text/css">
Case 3: Request URL (set request-file) is /upload*/upload.php.
Result: Matching.
[root@server3 ~]# curl -X POST -F "file=@/home/user-a/test/eicar.exe" http://192.0.2.10/uploads/upload.php
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">
<html><head><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, minimum-scale=1, user-scalable=0">
<style type="text/css"> Case 4: Request URL (set request-file) is /*/upload.php. Result: Matching.
[root@server3 ~]# curl -X POST -F "file=@/home/user-a/test/eicar.exe" http://192.0.2.10/uploads/upload.php
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">
<html><head><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, minimum-scale=1, user-scalable=0">
<style type="text/css">
| 
