Redmine

Hi,

I got it working by weired hack!, I was facing the same issue, our security team wont allow site to be exposed outside until basic security vulnerabilities are fixed, I tried with apache by doing Filesmatch but that didn't work, so came up with this solution.

Ideally this is one of the basic need for all web applications!, don't know why this was ignored!, anyways here it is.

u need to change 2 files (in my system redmine is installed in /usr/share/)

main file to allow valid file types
/usr/share/redmine/app/models/attachment.rb

language wise error notification output file
/usr/share/redmine/config/locales/en.yml

check the patch Files attached for patching the above two files, and make sure u take these two files backup before patching.

how to patch:
just cd to that respective directory and enter below command

patch -p0 < attachment.rb.patch
patch -p0 < en.yml.patch

(note: only files with below file types are allowed)

('.txt','.csv','.htm','.html','.xml','.css','.doc','.docx','.xls','.xlsx','.rtf','.ppt','.pptx','.pdf','.swf','.flv','.avi','.wmv','.mov','.jpg','.jpeg','.gif','.png')

if you want to add or delete extensions for allowed file types u can modify file /usr/share/redmine/app/models/attachment.rb

just go through u will get it..

Hope it will be useful for someone who are in really need, also hope to see this feature in next version?.:-)

Hi,

we made a new version of this patch, which should be easier to integrate into core. When patch is installed, it will make nothing. But under Settings you are able to define your own white/blacklist for file extensions.

the following checks are made if you try to upload new files:

empty whitelist, empyt blacklist: everything is allowed
empty whitelist, defined blacklist: only not blacklisted extensions are allowed
defined whitelist, empty blacklist: only whitelisted extensions are allowed

if a extension is blacklisted, whitelist will not be checked anymore for this extension

Patch made for Redmine3.1

Feature added in r14792.