Project

General

Profile

Actions

Feature #20008

closed

Files upload Restriction by files extensions

Added by Varadharajan Sundaram almost 9 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Category:
Attachments
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed

Description

Hi,

We are using redmine 2.5.1 with below settings in Ubuntu 14.04 LTS

Environment:
Redmine version 2.5.1.stable
Ruby version 2.0.0-p645 (2015-04-13) [x86_64-linux-gnu]
Rails version 3.2.17
Environment production
Database adapter MySQL
SCM:
Subversion 1.8.8
Git 1.9.1
Filesystem
Redmine plugins:
AgileDwarf 0.0.3
progressive_projects_list 1.0.0
redmine_cas 1.2.1
redmine_issue_templates 0.1.0
redmine_ldap_sync 2.0.4.g0693d11a0c

Everything is working fine but our security team is rejected to expose outside (internet) becasue of there is no option for Files extensions upload restrictions.That mean, we need to allow only certain files but right now redmine is accepting all the files extensions (.exe,zip,msi,....etc). I searched in entire issues and google but no luck. Please let me know, what is the solution for this and treated this as a bug.


Files

attachment.rb.patch (1.21 KB) attachment.rb.patch actual file blocking madhusudan kh, 2015-06-09 14:51
en.yml.patch (742 Bytes) en.yml.patch message for file blocking madhusudan kh, 2015-06-09 14:51
redmine-WhitelistAndBlacklist-attachment-extensions.diff (4.08 KB) redmine-WhitelistAndBlacklist-attachment-extensions.diff Jonathan Tee, 2015-10-06 11:51
screenshot.png (59.3 KB) screenshot.png Jonathan Tee, 2015-10-06 11:52
Actions #1

Updated by Toshi MARUYAMA almost 9 years ago

  • Tracker changed from Defect to Feature
  • Category changed from Files to Attachments
  • Priority changed from High to Normal
Actions #2

Updated by Toshi MARUYAMA almost 9 years ago

  • Subject changed from Files upload Restriction is not available to Files upload Restriction by files extensions
Actions #3

Updated by Varadharajan Sundaram almost 9 years ago

Please let me know, can i try any alternative method to fix this issue ?

Actions #4

Updated by madhusudan kh almost 9 years ago

Hi,

I got it working by weired hack!, I was facing the same issue, our security team wont allow site to be exposed outside until basic security vulnerabilities are fixed, I tried with apache by doing Filesmatch but that didn't work, so came up with this solution.

Ideally this is one of the basic need for all web applications!, don't know why this was ignored!, anyways here it is.

u need to change 2 files (in my system redmine is installed in /usr/share/)

main file to allow valid file types
/usr/share/redmine/app/models/attachment.rb

language wise error notification output file
/usr/share/redmine/config/locales/en.yml

check the patch Files attached for patching the above two files, and make sure u take these two files backup before patching.

how to patch:
just cd to that respective directory and enter below command

patch -p0 < attachment.rb.patch
patch -p0 < en.yml.patch

(note: only files with below file types are allowed)

('.txt','.csv','.htm','.html','.xml','.css','.doc','.docx','.xls','.xlsx','.rtf','.ppt','.pptx','.pdf','.swf','.flv','.avi','.wmv','.mov','.jpg','.jpeg','.gif','.png')

if you want to add or delete extensions for allowed file types u can modify file /usr/share/redmine/app/models/attachment.rb

just go through u will get it..

Hope it will be useful for someone who are in really need, also hope to see this feature in next version?.:-)

Actions #5

Updated by Jonathan Tee over 8 years ago

Hi,

we made a new version of this patch, which should be easier to integrate into core. When patch is installed, it will make nothing. But under Settings you are able to define your own white/blacklist for file extensions.

the following checks are made if you try to upload new files:

empty whitelist, empyt blacklist: everything is allowed
empty whitelist, defined blacklist: only not blacklisted extensions are allowed
defined whitelist, empty blacklist: only whitelisted extensions are allowed

if a extension is blacklisted, whitelist will not be checked anymore for this extension

Patch made for Redmine3.1

Actions #6

Updated by Jean-Philippe Lang over 8 years ago

  • Assignee set to Jean-Philippe Lang
  • Target version set to 3.2.0
Actions #7

Updated by Jean-Philippe Lang over 8 years ago

  • Status changed from New to Closed
  • Resolution set to Fixed

Feature added in r14792.

Actions

Also available in: Atom PDF