1 files changed, 26 insertions, 1 deletions

diff --git a/app/models/attachment.rb b/app/models/attachment.rb
index 5fa89ee5a..0064555b9 100644
--- a/app/models/attachment.rb
+++ b/app/models/attachment.rb
@@ -26,7 +26,7 @@ class Attachment < ActiveRecord::Base
   validates_length_of :filename, :maximum => 255
   validates_length_of :disk_filename, :maximum => 255
   validates_length_of :description, :maximum => 255
-  validate :validate_max_file_size
+  validate :validate_max_file_size, :validate_file_extension
   attr_protected :id
 
   acts_as_event :title => :filename,
@@ -69,6 +69,15 @@ class Attachment < ActiveRecord::Base
     end
   end
 
+  def validate_file_extension
+    if @temp_file
+      extension = File.extname(filename)
+      unless self.class.valid_extension?(extension)
+        errors.add(:base, l(:error_attachment_extension_not_allowed, :extension => extension))
+      end
+    end
+  end
+
   def file=(incoming_file)
     unless incoming_file.nil?
       @temp_file = incoming_file
@@ -333,6 +342,22 @@ class Attachment < ActiveRecord::Base
     end
   end
 
+  # Returns true if the extension is allowed, otherwise false
+  def self.valid_extension?(extension)
+    extension = extension.downcase.sub(/\A\.+/, '')
+
+    denied, allowed = [:attachment_extensions_denied, :attachment_extensions_allowed].map do |setting|
+      Setting.send(setting).to_s.split(",").map {|s| s.strip.downcase.sub(/\A\.+/, '')}.reject(&:blank?)
+    end
+    if denied.present? && denied.include?(extension)
+      return false
+    end
+    unless allowed.blank? || allowed.include?(extension)
+      return false
+    end
+    true
+  end
+
   private
 
   # Physically deletes the file from the file system