Files upload Restriction by files extensions
|Assignee:||Jean-Philippe Lang||% Done:|
We are using redmine 2.5.1 with below settings in Ubuntu 14.04 LTS
Redmine version 2.5.1.stable
Ruby version 2.0.0-p645 (2015-04-13) [x86_64-linux-gnu]
Rails version 3.2.17
Database adapter MySQL
Everything is working fine but our security team is rejected to expose outside (internet) becasue of there is no option for Files extensions upload restrictions.That mean, we need to allow only certain files but right now redmine is accepting all the files extensions (.exe,zip,msi,....etc). I searched in entire issues and google but no luck. Please let me know, what is the solution for this and treated this as a bug.
#4 Updated by madhusudan kh over 2 years ago
I got it working by weired hack!, I was facing the same issue, our security team wont allow site to be exposed outside until basic security vulnerabilities are fixed, I tried with apache by doing Filesmatch but that didn't work, so came up with this solution.
Ideally this is one of the basic need for all web applications!, don't know why this was ignored!, anyways here it is.
u need to change 2 files (in my system redmine is installed in /usr/share/)
main file to allow valid file types
language wise error notification output file
check the patch Files attached for patching the above two files, and make sure u take these two files backup before patching.
how to patch:
just cd to that respective directory and enter below command
patch -p0 < attachment.rb.patch
patch -p0 < en.yml.patch
(note: only files with below file types are allowed)
if you want to add or delete extensions for allowed file types u can modify file /usr/share/redmine/app/models/attachment.rb
just go through u will get it..
Hope it will be useful for someone who are in really need, also hope to see this feature in next version?.:-)
#5 Updated by Jonathan Tee over 2 years ago
- File redmine-WhitelistAndBlacklist-attachment-extensions.diff added
- File screenshot.png added
we made a new version of this patch, which should be easier to integrate into core. When patch is installed, it will make nothing. But under Settings you are able to define your own white/blacklist for file extensions.
the following checks are made if you try to upload new files:
empty whitelist, empyt blacklist: everything is allowed
empty whitelist, defined blacklist: only not blacklisted extensions are allowed
defined whitelist, empty blacklist: only whitelisted extensions are allowed
if a extension is blacklisted, whitelist will not be checked anymore for this extension
Patch made for Redmine3.1