Files upload restriction by files extensions (#20008).

git-svn-id: http://svn.redmine.org/redmine/trunk@14792 e93f8b46-1217-0410-a6f0-8f06a7374b81
author: Jean-Philippe Lang <jp_lang@yahoo.fr> 2015-11-01 10:41:02 +0000
committer: Jean-Philippe Lang <jp_lang@yahoo.fr> 2015-11-01 10:41:02 +0000
commit: dd1c5f8900bb95a47209e6a1efea8ea51950fdd4 (patch)
tree: e745e020f2e1d97874fedbabb5b314a75aefdfa9 /app
parent: e009780eb3f51e3809393bcf8e0f88cf6e638f2a (diff)
download: redmine-dd1c5f8900bb95a47209e6a1efea8ea51950fdd4.tar.gz
redmine-dd1c5f8900bb95a47209e6a1efea8ea51950fdd4.zip
2 files changed, 32 insertions, 1 deletions
diff --git a/app/models/attachment.rb b/app/models/attachment.rb
index 5fa89ee5a..0064555b9 100644
--- a/app/models/attachment.rb
+++ b/app/models/attachment.rb
@@ -26,7 +26,7 @@ class Attachment < ActiveRecord::Base
   validates_length_of :filename, :maximum => 255
   validates_length_of :disk_filename, :maximum => 255
   validates_length_of :description, :maximum => 255
-  validate :validate_max_file_size
+  validate :validate_max_file_size, :validate_file_extension
   attr_protected :id
 
   acts_as_event :title => :filename,
@@ -69,6 +69,15 @@ class Attachment < ActiveRecord::Base
     end
   end
 
+  def validate_file_extension
+    if @temp_file
+      extension = File.extname(filename)
+      unless self.class.valid_extension?(extension)
+        errors.add(:base, l(:error_attachment_extension_not_allowed, :extension => extension))
+      end
+    end
+  end
+
   def file=(incoming_file)
     unless incoming_file.nil?
       @temp_file = incoming_file
@@ -333,6 +342,22 @@ class Attachment < ActiveRecord::Base
     end
   end
 
+  # Returns true if the extension is allowed, otherwise false
+  def self.valid_extension?(extension)
+    extension = extension.downcase.sub(/\A\.+/, '')
+
+    denied, allowed = [:attachment_extensions_denied, :attachment_extensions_allowed].map do |setting|
+      Setting.send(setting).to_s.split(",").map {|s| s.strip.downcase.sub(/\A\.+/, '')}.reject(&:blank?)
+    end
+    if denied.present? && denied.include?(extension)
+      return false
+    end
+    unless allowed.blank? || allowed.include?(extension)
+      return false
+    end
+    true
+  end
+
   private
 
   # Physically deletes the file from the file system
diff --git a/app/views/settings/_attachments.html.erb b/app/views/settings/_attachments.html.erb
index f8a85c748..818845e55 100644
--- a/app/views/settings/_attachments.html.erb
+++ b/app/views/settings/_attachments.html.erb
@@ -3,6 +3,12 @@
 <div class="box tabular settings">
 <p><%= setting_text_field :attachment_max_size, :size => 6 %> <%= l(:"number.human.storage_units.units.kb") %></p>
 
+<p><%= setting_text_area :attachment_extensions_allowed %>
+<em class="info"><%= l(:text_comma_separated) %> <%= l(:label_example) %>: txt, png</em></p>
+
+<p><%= setting_text_area :attachment_extensions_denied %>
+<em class="info"><%= l(:text_comma_separated) %> <%= l(:label_example) %>: js, swf</em></p>
+
 <p><%= setting_text_field :file_max_size_displayed, :size => 6 %> <%= l(:"number.human.storage_units.units.kb") %></p>
 
 <p><%= setting_text_field :diff_max_lines_displayed, :size => 6 %></p>
author	Jean-Philippe Lang <jp_lang@yahoo.fr>	2015-11-01 10:41:02 +0000
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>	2015-11-01 10:41:02 +0000
commit	dd1c5f8900bb95a47209e6a1efea8ea51950fdd4 (patch)
tree	e745e020f2e1d97874fedbabb5b314a75aefdfa9 /app
parent	e009780eb3f51e3809393bcf8e0f88cf6e638f2a (diff)
download	redmine-dd1c5f8900bb95a47209e6a1efea8ea51950fdd4.tar.gz redmine-dd1c5f8900bb95a47209e6a1efea8ea51950fdd4.zip