jro_apps/redmine Commit - r14410:dd1c5f8900bb

Files upload restriction by files extensions (#20008)....

Jean-Philippe Lang -

r14410:dd1c5f8900bb

parent child

Context file:

r14410:dd1c5f8900bb

Collapse all files

app/models/attachment.rb +26 -1

@@ -26,7 +26,7 class Attachment < ActiveRecord::Base
26	validates_length_of :filename, :maximum => 255	26	validates_length_of :filename, :maximum => 255
27	validates_length_of :disk_filename, :maximum => 255	27	validates_length_of :disk_filename, :maximum => 255
28	validates_length_of :description, :maximum => 255	28	validates_length_of :description, :maximum => 255
29	validate :validate_max_file_size	29	validate :validate_max_file_size, :validate_file_extension
30	attr_protected :id	30	attr_protected :id
31		31
32	acts_as_event :title => :filename,	32	acts_as_event :title => :filename,
@@ -69,6 +69,15 class Attachment < ActiveRecord::Base
69	end	69	end
70	end	70	end
71		71
		72	def validate_file_extension
		73	if @temp_file
		74	extension = File.extname(filename)
		75	unless self.class.valid_extension?(extension)
		76	errors.add(:base, l(:error_attachment_extension_not_allowed, :extension => extension))
		77	end
		78	end
		79	end
		80
72	def file=(incoming_file)	81	def file=(incoming_file)
73	unless incoming_file.nil?	82	unless incoming_file.nil?
74	@temp_file = incoming_file	83	@temp_file = incoming_file
@@ -333,6 +342,22 class Attachment < ActiveRecord::Base
333	end	342	end
334	end	343	end
335		344
		345	# Returns true if the extension is allowed, otherwise false
		346	def self.valid_extension?(extension)
		347	extension = extension.downcase.sub(/\A\.+/, '')
		348
		349	denied, allowed = [:attachment_extensions_denied, :attachment_extensions_allowed].map do \|setting\|
		350	Setting.send(setting).to_s.split(",").map {\|s\| s.strip.downcase.sub(/\A\.+/, '')}.reject(&:blank?)
		351	end
		352	if denied.present? && denied.include?(extension)
		353	return false
		354	end
		355	unless allowed.blank? \|\| allowed.include?(extension)
		356	return false
		357	end
		358	true
		359	end
		360
336	private	361	private
337		362
338	# Physically deletes the file from the file system	363	# Physically deletes the file from the file system

app/views/settings/_attachments.html.erb +6 0

             <div class="box tabular settings">
             <p><%= setting_text_field :attachment_max_size, :size => 6 %> <%= l(:"number.human.storage_units.units.kb") %></p>
+            <p><%= setting_text_area :attachment_extensions_allowed %>
+            <em class="info"><%= l(:text_comma_separated) %> <%= l(:label_example) %>: txt, png</em></p>
+            <p><%= setting_text_area :attachment_extensions_denied %>
+            <em class="info"><%= l(:text_comma_separated) %> <%= l(:label_example) %>: js, swf</em></p>
             <p><%= setting_text_field :file_max_size_displayed, :size => 6 %> <%= l(:"number.human.storage_units.units.kb") %></p>
             <p><%= setting_text_field :diff_max_lines_displayed, :size => 6 %></p>

config/locales/en.yml +3 0

               error_invalid_file_encoding: "The file is not a valid %{encoding} encoded file"
               error_invalid_csv_file_or_settings: "The file is not a CSV file or does not match the settings below"
               error_can_not_read_import_file: "An error occurred while reading the file to import"
+              error_attachment_extension_not_allowed: "Attachment extension %{extension} is not allowed"
               mail_subject_lost_password: "Your %{value} password"
               mail_body_lost_password: 'To change your password, click on the following link:'
               setting_link_copied_issue: Link issues on copy
               setting_max_additional_emails: Maximum number of additional email addresses
               setting_search_results_per_page: Search results per page
+              setting_attachment_extensions_allowed: Allowed extensions
+              setting_attachment_extensions_denied: Disallowed extensions
               permission_add_project: Create project
               permission_add_subprojects: Create subprojects

config/locales/fr.yml +3 0

               error_invalid_file_encoding: "Le fichier n'est pas un fichier %{encoding} valide"
               error_invalid_csv_file_or_settings: "Le fichier n'est pas un fichier CSV ou n'est pas conforme aux paramètres sélectionnés"
               error_can_not_read_import_file: "Une erreur est survenue lors de la lecture du fichier à importer"
+              error_attachment_extension_not_allowed: "L'extension %{extension} n'est pas autorisée"
               mail_subject_lost_password: "Votre mot de passe %{value}"
               mail_body_lost_password: 'Pour changer votre mot de passe, cliquez sur le lien suivant :'
               setting_link_copied_issue: Lier les demandes lors de la copie
               setting_max_additional_emails: Nombre maximal d'adresses email additionnelles
               setting_search_results_per_page: Résultats de recherche affichés par page
+              setting_attachment_extensions_allowed: Extensions autorisées
+              setting_attachment_extensions_denied: Extensions non autorisées
               permission_add_project: Créer un projet
               permission_add_subprojects: Créer des sous-projets

config/settings.yml +4 0

             attachment_max_size:
               format: int
               default: 5120
+            attachment_extensions_allowed:
+              default:
+            attachment_extensions_denied:
+              default:
             issues_export_limit:
               format: int
               default: 500

test/unit/attachment_test.rb +39 0

@@ -122,6 +122,45 class AttachmentTest < ActiveSupport::TestCase
122	end	122	end
123	end	123	end
124		124
		125	def test_extension_should_be_validated_against_allowed_extensions
		126	with_settings :attachment_extensions_allowed => "txt, png" do
		127	a = Attachment.new(:container => Issue.find(1),
		128	:file => mock_file_with_options(:original_filename => "test.png"),
		129	:author => User.find(1))
		130	assert_save a
		131
		132	a = Attachment.new(:container => Issue.find(1),
		133	:file => mock_file_with_options(:original_filename => "test.jpeg"),
		134	:author => User.find(1))
		135	assert !a.save
		136	end
		137	end
		138
		139	def test_extension_should_be_validated_against_denied_extensions
		140	with_settings :attachment_extensions_denied => "txt, png" do
		141	a = Attachment.new(:container => Issue.find(1),
		142	:file => mock_file_with_options(:original_filename => "test.jpeg"),
		143	:author => User.find(1))
		144	assert_save a
		145
		146	a = Attachment.new(:container => Issue.find(1),
		147	:file => mock_file_with_options(:original_filename => "test.png"),
		148	:author => User.find(1))
		149	assert !a.save
		150	end
		151	end
		152
		153	def test_valid_extension_should_be_case_insensitive
		154	with_settings :attachment_extensions_allowed => "txt, Png" do
		155	assert Attachment.valid_extension?(".pnG")
		156	assert !Attachment.valid_extension?(".jpeg")
		157	end
		158	with_settings :attachment_extensions_denied => "txt, Png" do
		159	assert !Attachment.valid_extension?(".pnG")
		160	assert Attachment.valid_extension?(".jpeg")
		161	end
		162	end
		163
125	def test_description_length_should_be_validated	164	def test_description_length_should_be_validated
126	a = Attachment.new(:description => 'a' * 300)	165	a = Attachment.new(:description => 'a' * 300)
127	assert !a.save	166	assert !a.save

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages