redmine-WhitelistAndBlacklist-attachment-extensions.diff

Jonathan Tee, 2015-10-06 11:51

Download (4.08 KB)

View differences:

app/models/attachment.rb (working copy)
26 26
  validates_length_of :filename, :maximum => 255
27 27
  validates_length_of :disk_filename, :maximum => 255
28 28
  validates_length_of :description, :maximum => 255
29
  validate :validate_max_file_size
29
  validate :validate_max_file_size, :validate_file_extension
30 30
  attr_protected :id
31 31

  
32 32
  acts_as_event :title => :filename,
......
69 69
    end
70 70
  end
71 71

  
72
  def validate_file_extension
73
  	blacklisted = false
74
  	ext = File.extname(self.filename)
75

  
76
	# if defined, check whether file's extension is blacklisted
77
	if not Setting.attachment_extension_blacklist.empty?
78
		extension_blacklist = Setting.attachment_extension_blacklist.split(",").map { |s| '.' + s }
79
		if extension_blacklist.include?(ext)
80
			blacklisted = true
81
			errors.add(:base, l(:error_attachment_extension_blacklisted, :blacklist => Setting.attachment_extension_blacklist))
82
		end
83
	end
84

  
85
	# if defined, check whether file's extension is whitelisted
86
	if (not Setting.attachment_extension_whitelist.empty?) and (not blacklisted)
87
		extension_whitelist = Setting.attachment_extension_whitelist.split(",").map { |s| '.' + s }
88
		if not extension_whitelist.include?(ext)
89
			errors.add(:base, l(:error_attachment_extension_not_whitelisted, :whitelist => Setting.attachment_extension_whitelist))
90
		end
91
	end
92
  end
93

  
72 94
  def file=(incoming_file)
73 95
    unless incoming_file.nil?
74 96
      @temp_file = incoming_file
app/views/settings/_general.html.erb (working copy)
7 7
<%= wikitoolbar_for 'settings_welcome_text' %>
8 8

  
9 9
<p><%= setting_text_field :attachment_max_size, :size => 6 %> <%= l(:"number.human.storage_units.units.kb") %></p>
10
<p><%= setting_text_field :attachment_extension_whitelist %>
11
<em class="info"><%= l(:text_comma_separated) %></em></p>
12
<p><%= setting_text_field :attachment_extension_blacklist %>
13
<em class="info"><%= l(:text_comma_separated) %></em></p>
10 14

  
11 15
<p><%= setting_text_field :per_page_options, :size => 20 %>
12 16
<em class="info"><%= l(:text_comma_separated) %></em></p>
config/locales/en.yml (working copy)
204 204
  error_unable_delete_issue_status: 'Unable to delete issue status'
205 205
  error_unable_to_connect: "Unable to connect (%{value})"
206 206
  error_attachment_too_big: "This file cannot be uploaded because it exceeds the maximum allowed file size (%{max_size})"
207
  error_attachment_extension_not_whitelisted: "Attachment extension not whitelisted; allowed extensions: %{whitelist}"
208
  error_attachment_extension_blacklisted: "Attachment extension blacklisted; disallowed extensions: %{blacklist}"
207 209
  error_session_expired: "Your session has expired. Please login again."
208 210
  warning_attachments_not_saved: "%{count} file(s) could not be saved."
209 211
  error_password_expired: "Your password has expired or the administrator requires you to change it."
......
356 358
  setting_login_required: Authentication required
357 359
  setting_self_registration: Self-registration
358 360
  setting_attachment_max_size: Maximum attachment size
361
  setting_attachment_extension_whitelist: Whitelisted attachment extensions
362
  setting_attachment_extension_blacklist: Blacklisted attachment extensions
359 363
  setting_issues_export_limit: Issues export limit
360 364
  setting_mail_from: Emission email address
361 365
  setting_bcc_recipients: Blind carbon copy recipients (bcc)
config/settings.yml (working copy)
55 55
attachment_max_size:
56 56
  format: int
57 57
  default: 5120
58
attachment_extension_whitelist:
59
  default:
60
attachment_extension_blacklist:
61
  default:
58 62
issues_export_limit:
59 63
  format: int
60 64
  default: 500