discourse/lib/validators/upload_validator.rb

require_dependency "file_helper"

module Validators; end

class Validators::UploadValidator < ActiveModel::Validator

  def validate(upload)
    # check the attachment blacklist
    if upload.is_attachment_for_group_message && SiteSetting.allow_all_attachments_for_group_messages
      return upload.original_filename =~ SiteSetting.attachment_filename_blacklist_regex
    end

    extension = File.extname(upload.original_filename)[1..-1] || ""

    if is_authorized?(upload, extension)
      if FileHelper.is_image?(upload.original_filename)
        authorized_image_extension(upload, extension)
        maximum_image_file_size(upload)
      else
        authorized_attachment_extension(upload, extension)
        maximum_attachment_file_size(upload)
      end
    end
  end

  def is_authorized?(upload, extension)
    authorized_extensions(upload, extension, authorized_uploads(upload))
  end

  def authorized_image_extension(upload, extension)
    authorized_extensions(upload, extension, authorized_images(upload))
  end

  def maximum_image_file_size(upload)
    maximum_file_size(upload, "image")
  end

  def authorized_attachment_extension(upload, extension)
    authorized_extensions(upload, extension, authorized_attachments(upload))
  end

  def maximum_attachment_file_size(upload)
    maximum_file_size(upload, "attachment")
  end

  private

  def authorized_uploads(upload)
    authorized_uploads = Set.new

    extensions = upload.for_theme ? SiteSetting.theme_authorized_extensions : SiteSetting.authorized_extensions

    extensions
      .gsub(/[\s\.]+/, "")
      .downcase
      .split("|")
      .each { |extension| authorized_uploads << extension unless extension.include?("*") }

    authorized_uploads
  end

  def authorized_images(upload)
    authorized_uploads(upload) & FileHelper.images
  end

  def authorized_attachments(upload)
    authorized_uploads(upload) - FileHelper.images
  end

  def authorizes_all_extensions?(upload)
    extensions = upload.for_theme ? SiteSetting.theme_authorized_extensions : SiteSetting.authorized_extensions
    extensions.include?("*")
  end

  def authorized_extensions(upload, extension, extensions)
    return true if authorizes_all_extensions?(upload)

    unless authorized = extensions.include?(extension.downcase)
      message = I18n.t("upload.unauthorized", authorized_extensions: extensions.to_a.join(", "))
      upload.errors.add(:original_filename, message)
    end

    authorized
  end

  def maximum_file_size(upload, type)
    max_size_kb = SiteSetting.send("max_#{type}_size_kb")
    max_size_bytes = max_size_kb.kilobytes

    if upload.filesize > max_size_bytes
      message = I18n.t("upload.#{type}s.too_large", max_size_kb: max_size_kb)
      upload.errors.add(:filesize, message)
    end
  end

end
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`require_dependency "file_helper"`

			`module Validators; end`

			`class Validators::UploadValidator < ActiveModel::Validator`

			`def validate(upload)`
FEATURE: new email attachment blacklists site settings 2016-08-03 11:55:54 -04:00			`# check the attachment blacklist`
always strip s/mime signatures in incoming emails 2016-06-27 16:26:05 -04:00			`if upload.is_attachment_for_group_message && SiteSetting.allow_all_attachments_for_group_messages`
FEATURE: new email attachment blacklists site settings 2016-08-03 11:55:54 -04:00			`return upload.original_filename =~ SiteSetting.attachment_filename_blacklist_regex`
always strip s/mime signatures in incoming emails 2016-06-27 16:26:05 -04:00			`end`
FEATURE: new 'allow_all_attachments_for_group_messages' site setting 2016-02-29 16:39:24 -05:00
FIX: NoMethodError in on extension.upcase when upload's original filename has no extension. 2014-07-14 21:15:17 -04:00			`extension = File.extname(upload.original_filename)[1..-1] \|\| ""`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00
			`if is_authorized?(upload, extension)`
			`if FileHelper.is_image?(upload.original_filename)`
			`authorized_image_extension(upload, extension)`
			`maximum_image_file_size(upload)`
			`else`
			`authorized_attachment_extension(upload, extension)`
			`maximum_attachment_file_size(upload)`
			`end`
			`end`
			`end`

			`def is_authorized?(upload, extension)`
FEATURE: support uploads for themes This allows themes to bundle various assets 2017-05-09 17:20:28 -04:00			`authorized_extensions(upload, extension, authorized_uploads(upload))`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`end`

			`def authorized_image_extension(upload, extension)`
FEATURE: support uploads for themes This allows themes to bundle various assets 2017-05-09 17:20:28 -04:00			`authorized_extensions(upload, extension, authorized_images(upload))`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`end`

			`def maximum_image_file_size(upload)`
			`maximum_file_size(upload, "image")`
			`end`

			`def authorized_attachment_extension(upload, extension)`
FEATURE: support uploads for themes This allows themes to bundle various assets 2017-05-09 17:20:28 -04:00			`authorized_extensions(upload, extension, authorized_attachments(upload))`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`end`

			`def maximum_attachment_file_size(upload)`
			`maximum_file_size(upload, "attachment")`
			`end`

			`private`

FEATURE: support uploads for themes This allows themes to bundle various assets 2017-05-09 17:20:28 -04:00			`def authorized_uploads(upload)`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`authorized_uploads = Set.new`

FEATURE: support uploads for themes This allows themes to bundle various assets 2017-05-09 17:20:28 -04:00			`extensions = upload.for_theme ? SiteSetting.theme_authorized_extensions : SiteSetting.authorized_extensions`

			`extensions`
FIX: uploading custom avatar was always hidden 2016-10-20 13:53:41 -04:00			`.gsub(/[\s\.]+/, "")`
			`.downcase`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`.split("\|")`
FIX: uploading custom avatar was always hidden 2016-10-20 13:53:41 -04:00			`.each { \|extension\| authorized_uploads << extension unless extension.include?("*") }`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00
			`authorized_uploads`
			`end`

FEATURE: support uploads for themes This allows themes to bundle various assets 2017-05-09 17:20:28 -04:00			`def authorized_images(upload)`
			`authorized_uploads(upload) & FileHelper.images`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`end`

FEATURE: support uploads for themes This allows themes to bundle various assets 2017-05-09 17:20:28 -04:00			`def authorized_attachments(upload)`
			`authorized_uploads(upload) - FileHelper.images`
FEATURE: support for enabling all upload file types BUGFIX: authorized extensions is now case insensitive 2014-04-29 13:12:35 -04:00			`end`

FEATURE: support uploads for themes This allows themes to bundle various assets 2017-05-09 17:20:28 -04:00			`def authorizes_all_extensions?(upload)`
			`extensions = upload.for_theme ? SiteSetting.theme_authorized_extensions : SiteSetting.authorized_extensions`
			`extensions.include?("*")`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`end`

			`def authorized_extensions(upload, extension, extensions)`
FEATURE: support uploads for themes This allows themes to bundle various assets 2017-05-09 17:20:28 -04:00			`return true if authorizes_all_extensions?(upload)`
FEATURE: support for enabling all upload file types BUGFIX: authorized extensions is now case insensitive 2014-04-29 13:12:35 -04:00
			`unless authorized = extensions.include?(extension.downcase)`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`message = I18n.t("upload.unauthorized", authorized_extensions: extensions.to_a.join(", "))`
			`upload.errors.add(:original_filename, message)`
			`end`
FEATURE: support for enabling all upload file types BUGFIX: authorized extensions is now case insensitive 2014-04-29 13:12:35 -04:00
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`authorized`
			`end`

			`def maximum_file_size(upload, type)`
FIX: error message used wrong filesize 2015-05-03 13:26:54 -04:00			`max_size_kb = SiteSetting.send("max_#{type}_size_kb")`
			`max_size_bytes = max_size_kb.kilobytes`
FEATURE: support for enabling all upload file types BUGFIX: authorized extensions is now case insensitive 2014-04-29 13:12:35 -04:00
FIX: error message used wrong filesize 2015-05-03 13:26:54 -04:00			`if upload.filesize > max_size_bytes`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`message = I18n.t("upload.#{type}s.too_large", max_size_kb: max_size_kb)`
			`upload.errors.add(:filesize, message)`
			`end`
			`end`

			`end`