Feature #20008

Files upload Restriction by files extensions

Added by Varadharajan Sundaram about 3 years ago. Updated over 2 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:Attachments
Target version:3.2.0
Resolution:Fixed

Description

Hi,

We are using redmine 2.5.1 with below settings in Ubuntu 14.04 LTS

Environment:
Redmine version 2.5.1.stable
Ruby version 2.0.0-p645 (2015-04-13) [x86_64-linux-gnu]
Rails version 3.2.17
Environment production
Database adapter MySQL
SCM:
Subversion 1.8.8
Git 1.9.1
Filesystem
Redmine plugins:
AgileDwarf 0.0.3
progressive_projects_list 1.0.0
redmine_cas 1.2.1
redmine_issue_templates 0.1.0
redmine_ldap_sync 2.0.4.g0693d11a0c

Everything is working fine but our security team is rejected to expose outside (internet) becasue of there is no option for Files extensions upload restrictions.That mean, we need to allow only certain files but right now redmine is accepting all the files extensions (.exe,zip,msi,....etc). I searched in entire issues and google but no luck. Please let me know, what is the solution for this and treated this as a bug.

attachment.rb.patch Magnifier - actual file blocking (1.21 KB) madhusudan kh, 2015-06-09 14:51

en.yml.patch Magnifier - message for file blocking (742 Bytes) madhusudan kh, 2015-06-09 14:51

redmine-WhitelistAndBlacklist-attachment-extensions.diff Magnifier (4.08 KB) Jonathan Tee, 2015-10-06 11:51

screenshot.png (59.3 KB) Jonathan Tee, 2015-10-06 11:52

Associated revisions

Revision 14792
Added by Jean-Philippe Lang over 2 years ago

Files upload restriction by files extensions (#20008).

Revision 14793
Added by Jean-Philippe Lang over 2 years ago

Adds strings to locales (#20008).

History

#1 Updated by Toshi MARUYAMA about 3 years ago

  • Tracker changed from Defect to Feature
  • Category changed from Files to Attachments
  • Priority changed from High to Normal

#2 Updated by Toshi MARUYAMA about 3 years ago

  • Subject changed from Files upload Restriction is not available to Files upload Restriction by files extensions

#3 Updated by Varadharajan Sundaram about 3 years ago

Please let me know, can i try any alternative method to fix this issue ?

#4 Updated by madhusudan kh about 3 years ago

Hi,

I got it working by weired hack!, I was facing the same issue, our security team wont allow site to be exposed outside until basic security vulnerabilities are fixed, I tried with apache by doing Filesmatch but that didn't work, so came up with this solution.

Ideally this is one of the basic need for all web applications!, don't know why this was ignored!, anyways here it is.

u need to change 2 files (in my system redmine is installed in /usr/share/)

main file to allow valid file types
/usr/share/redmine/app/models/attachment.rb

language wise error notification output file
/usr/share/redmine/config/locales/en.yml

check the patch Files attached for patching the above two files, and make sure u take these two files backup before patching.

how to patch:
just cd to that respective directory and enter below command

patch -p0 < attachment.rb.patch
patch -p0 < en.yml.patch

(note: only files with below file types are allowed)

('.txt','.csv','.htm','.html','.xml','.css','.doc','.docx','.xls','.xlsx','.rtf','.ppt','.pptx','.pdf','.swf','.flv','.avi','.wmv','.mov','.jpg','.jpeg','.gif','.png')

if you want to add or delete extensions for allowed file types u can modify file /usr/share/redmine/app/models/attachment.rb

just go through u will get it..

Hope it will be useful for someone who are in really need, also hope to see this feature in next version?.:-)

#5 Updated by Jonathan Tee over 2 years ago

Hi,

we made a new version of this patch, which should be easier to integrate into core. When patch is installed, it will make nothing. But under Settings you are able to define your own white/blacklist for file extensions.

the following checks are made if you try to upload new files:

empty whitelist, empyt blacklist: everything is allowed
empty whitelist, defined blacklist: only not blacklisted extensions are allowed
defined whitelist, empty blacklist: only whitelisted extensions are allowed

if a extension is blacklisted, whitelist will not be checked anymore for this extension

Patch made for Redmine3.1

#6 Updated by Jean-Philippe Lang over 2 years ago

  • Assignee set to Jean-Philippe Lang
  • Target version set to 3.2.0

#7 Updated by Jean-Philippe Lang over 2 years ago

  • Status changed from New to Closed
  • Resolution set to Fixed

Feature added in r14792.

Also available in: Atom PDF