From 5e459736204106b7c46e47439bd989b9accadc3e Mon Sep 17 00:00:00 2001
From: Holger Just <holger@plan.io>
Date: Tue, 1 Dec 2020 16:58:10 +0100
Subject: [PATCH] Validate attachment filenames on every change

---
 app/models/attachment.rb                            | 11 +++++------
 .../acts_as_attachable/lib/acts_as_attachable.rb    |  2 +-
 test/unit/attachment_test.rb                        | 13 +++++++++++++
 3 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/app/models/attachment.rb b/app/models/attachment.rb
index ad76c06df9..2341c9cb46 100644
--- a/app/models/attachment.rb
+++ b/app/models/attachment.rb
@@ -30,7 +30,8 @@ class Attachment < ActiveRecord::Base
   validates_length_of :filename, :maximum => 255
   validates_length_of :disk_filename, :maximum => 255
   validates_length_of :description, :maximum => 255
-  validate :validate_max_file_size, :validate_file_extension
+  validate :validate_max_file_size
+  validate :validate_file_extension, :if => :filename_changed?
 
   acts_as_event(
     :title => :filename,
@@ -91,11 +92,9 @@ class Attachment < ActiveRecord::Base
   end
 
   def validate_file_extension
-    if @temp_file
-      extension = File.extname(filename)
-      unless self.class.valid_extension?(extension)
-        errors.add(:base, l(:error_attachment_extension_not_allowed, :extension => extension))
-      end
+    extension = File.extname(filename)
+    unless self.class.valid_extension?(extension)
+      errors.add(:base, l(:error_attachment_extension_not_allowed, :extension => extension))
     end
   end
 
diff --git a/lib/plugins/acts_as_attachable/lib/acts_as_attachable.rb b/lib/plugins/acts_as_attachable/lib/acts_as_attachable.rb
index 7db1939a70..8899102bf0 100644
--- a/lib/plugins/acts_as_attachable/lib/acts_as_attachable.rb
+++ b/lib/plugins/acts_as_attachable/lib/acts_as_attachable.rb
@@ -107,7 +107,7 @@ module Redmine
               end
               next unless a
               a.description = attachment['description'].to_s.strip
-              if a.new_record?
+              if a.new_record? || a.invalid?
                 unsaved_attachments << a
               else
                 saved_attachments << a
diff --git a/test/unit/attachment_test.rb b/test/unit/attachment_test.rb
index 868e83f488..6f9438cb0e 100644
--- a/test/unit/attachment_test.rb
+++ b/test/unit/attachment_test.rb
@@ -152,6 +152,19 @@ class AttachmentTest < ActiveSupport::TestCase
     end
   end
 
+  def test_extension_update_should_be_validated_against_denied_extensions
+    with_settings :attachment_extensions_denied => "txt, png" do
+      a = Attachment.new(:container => Issue.find(1),
+                         :file => mock_file_with_options(:original_filename => "test.jpeg"),
+                         :author => User.find(1))
+      assert_save a
+
+      b = Attachment.find(a.id)
+      b.filename = "test.png"
+      assert !b.save
+    end
+  end
+
   def test_valid_extension_should_be_case_insensitive
     with_settings :attachment_extensions_allowed => "txt, Png" do
       assert Attachment.valid_extension?(".pnG")
-- 
2.26.2