diff options
| author | Go MAEDA <maeda@farend.jp> | 2021-04-16 01:36:59 +0000 |
|---|---|---|
| committer | Go MAEDA <maeda@farend.jp> | 2021-04-16 01:36:59 +0000 |
| commit | e41cf61de80bb183abeae8c1674cb7d0ef9d1277 (patch) | |
| tree | 7048ac258cd3c7990c8b541f72a3efd600807e94 | |
| parent | 2027b8750aa8f6432cf58fc5b0f8bf15ef8a03d8 (diff) | |
| download | redmine-e41cf61de80bb183abeae8c1674cb7d0ef9d1277.tar.gz redmine-e41cf61de80bb183abeae8c1674cb7d0ef9d1277.zip | |
Validate attachment filenames on every change (#34367).
Patch by Holger Just.
git-svn-id: http://svn.redmine.org/redmine/trunk@20946 e93f8b46-1217-0410-a6f0-8f06a7374b81
| -rw-r--r-- | app/models/attachment.rb | 11 | ||||
| -rw-r--r-- | lib/plugins/acts_as_attachable/lib/acts_as_attachable.rb | 2 | ||||
| -rw-r--r-- | test/unit/attachment_test.rb | 13 |
3 files changed, 19 insertions, 7 deletions
diff --git a/app/models/attachment.rb b/app/models/attachment.rb index 241ed0d70..c3c3fc8b3 100644 --- a/app/models/attachment.rb +++ b/app/models/attachment.rb @@ -30,7 +30,8 @@ class Attachment < ActiveRecord::Base validates_length_of :filename, :maximum => 255 validates_length_of :disk_filename, :maximum => 255 validates_length_of :description, :maximum => 255 - validate :validate_max_file_size, :validate_file_extension + validate :validate_max_file_size + validate :validate_file_extension, :if => :filename_changed? acts_as_event( :title => :filename, @@ -103,11 +104,9 @@ class Attachment < ActiveRecord::Base end def validate_file_extension - if @temp_file - extension = File.extname(filename) - unless self.class.valid_extension?(extension) - errors.add(:base, l(:error_attachment_extension_not_allowed, :extension => extension)) - end + extension = File.extname(filename) + unless self.class.valid_extension?(extension) + errors.add(:base, l(:error_attachment_extension_not_allowed, :extension => extension)) end end diff --git a/lib/plugins/acts_as_attachable/lib/acts_as_attachable.rb b/lib/plugins/acts_as_attachable/lib/acts_as_attachable.rb index 32ab675c7..9cd76388b 100644 --- a/lib/plugins/acts_as_attachable/lib/acts_as_attachable.rb +++ b/lib/plugins/acts_as_attachable/lib/acts_as_attachable.rb @@ -107,7 +107,7 @@ module Redmine end next unless a a.description = attachment['description'].to_s.strip - if a.new_record? + if a.new_record? || a.invalid? unsaved_attachments << a else saved_attachments << a diff --git a/test/unit/attachment_test.rb b/test/unit/attachment_test.rb index 5aa5220a9..9484c9360 100644 --- a/test/unit/attachment_test.rb +++ b/test/unit/attachment_test.rb @@ -152,6 +152,19 @@ class AttachmentTest < ActiveSupport::TestCase end end + def test_extension_update_should_be_validated_against_denied_extensions + with_settings :attachment_extensions_denied => "txt, png" do + a = Attachment.new(:container => Issue.find(1), + :file => mock_file_with_options(:original_filename => "test.jpeg"), + :author => User.find(1)) + assert_save a + + b = Attachment.find(a.id) + b.filename = "test.png" + assert !b.save + end + end + def test_valid_extension_should_be_case_insensitive with_settings :attachment_extensions_allowed => "txt, Png" do assert Attachment.valid_extension?(".pnG") |