mirrors
/
redmine
mirror of https://github.com/redmine/redmine.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 199 Wiki Activity
Browse Source

Validate attachment filenames on every change (#34367). 

Patch by Holger Just.


git-svn-id: http://svn.redmine.org/redmine/trunk@20946 e93f8b46-1217-0410-a6f0-8f06a7374b81
tags/5.0.0
Go MAEDA 3 years ago
parent
2027b8750a
commit
e41cf61de8
3 changed files with 19 additions and 7 deletions
Split View Show Diff Stats
  1. 5
    6
      app/models/attachment.rb
  2. 1
    1
      lib/plugins/acts_as_attachable/lib/acts_as_attachable.rb
  3. 13
    0
      test/unit/attachment_test.rb

+ 5
- 6
app/models/attachment.rb View File

@@ -30,7 +30,8 @@ class Attachment < ActiveRecord::Base
validates_length_of :filename, :maximum => 255
validates_length_of :disk_filename, :maximum => 255
validates_length_of :description, :maximum => 255
validate :validate_max_file_size, :validate_file_extension
validate :validate_max_file_size
validate :validate_file_extension, :if => :filename_changed?

acts_as_event(
:title => :filename,
@@ -103,11 +104,9 @@ class Attachment < ActiveRecord::Base
end

def validate_file_extension
if @temp_file
extension = File.extname(filename)
unless self.class.valid_extension?(extension)
errors.add(:base, l(:error_attachment_extension_not_allowed, :extension => extension))
end
extension = File.extname(filename)
unless self.class.valid_extension?(extension)
errors.add(:base, l(:error_attachment_extension_not_allowed, :extension => extension))
end
end


+ 1
- 1
lib/plugins/acts_as_attachable/lib/acts_as_attachable.rb View File

@@ -107,7 +107,7 @@ module Redmine
end
next unless a
a.description = attachment['description'].to_s.strip
if a.new_record?
if a.new_record? || a.invalid?
unsaved_attachments << a
else
saved_attachments << a

+ 13
- 0
test/unit/attachment_test.rb View File

@@ -152,6 +152,19 @@ class AttachmentTest < ActiveSupport::TestCase
end
end

def test_extension_update_should_be_validated_against_denied_extensions
with_settings :attachment_extensions_denied => "txt, png" do
a = Attachment.new(:container => Issue.find(1),
:file => mock_file_with_options(:original_filename => "test.jpeg"),
:author => User.find(1))
assert_save a

b = Attachment.find(a.id)
b.filename = "test.png"
assert !b.save
end
end

def test_valid_extension_should_be_case_insensitive
with_settings :attachment_extensions_allowed => "txt, Png" do
assert Attachment.valid_extension?(".pnG")

Write Preview
Loading…
Cancel
Save