Security update to files stored in iSAMS
We have recently been implementing a number of features to improve the security around files that are uploaded to, and downloaded from iSAMS. As part of this we are introducing a Whitelist and a Blacklist to govern acceptable file extensions that can be uploaded into iSAMS. This update will be released tonight and is effective for version 8.0828 of iSAMS and above.
The Whitelist is made up of two elements, a Core Whitelist and a School Whitelist. Together, this will give you full control of the types of files that are uploaded.
The Core Whilelist is controlled centrally by iSAMS and all schools will have an identical Core Whitelist. This is the area where commonly used extensions, such as docx, xlsx, pdf, etc. have been added. We will update this from time to time as new common extensions are identified.
The School Whitelist is where you are able to add any custom file extension types that you deem acceptable for users to upload. This will be bespoke to your school but works in the same way as the Core Whitelist. When adding to the School Whitelist, two checks are performed:
- That the extension doesn’t already appear on the Core Whitelist; and
- That the extension doesn’t appear on the Blacklist.
Any file that is uploaded to iSAMS will check to see if the extension exists on either of the two Whitelists. If it does, the upload will proceed, however if it is not recognised on either the Core Whitelist, or your School Whitelist, the upload will fail.
The Blacklist is another list maintained by us, on your behalf. It is designed to prevent potentially dangerous extensions from being added to the Whitelist.
For further information on this update including how to access the Whitelists and the full list of extensions currently included on the Blacklist, please see our iCommunity post here.