FEATURE: new email attachment blacklists site settings

2016-08-03 17:55:54 +02:00 · 2016-08-03 17:55:54 +02:00 · e92f5e4fbf
parent cb809784df
commit e92f5e4fbf
5 changed files with 24 additions and 5 deletions
--- a/app/models/site_setting.rb
+++ b/app/models/site_setting.rb
@ -109,6 +109,14 @@ class SiteSetting < ActiveRecord::Base
  def self.email_polling_enabled?
    SiteSetting.manual_polling_enabled? || SiteSetting.pop3_polling_enabled?
  end
+
+  def self.attachment_content_type_blacklist_regex
+    @attachment_content_type_blacklist_regex ||= Regexp.union(SiteSetting.attachment_content_type_blacklist.split("|"))
+  end
+
+  def self.attachment_filename_blacklist_regex
+    @attachment_filename_blacklist_regex ||= Regexp.union(SiteSetting.attachment_filename_blacklist.split("|"))
+  end
 end

 # == Schema Information
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@ -1218,6 +1218,9 @@ en:
    bounce_score_threshold_deactivate: "Max bounce score before we will deactivate a user."
    reset_bounce_score_after_days: "Automatically reset bounce score after X days."

+    attachment_content_type_blacklist: "List of keywords used to blacklist attachments based on the content type."
+    attachment_filename_blacklist: "List of keywords used to blacklist attachments based on the filename."
+
    manual_polling_enabled: "Push emails using the API for email replies."
    pop3_polling_enabled: "Poll via POP3 for email replies."
    pop3_polling_ssl: "Use SSL while connecting to the POP3 server. (Recommended)"
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@ -630,6 +630,12 @@ email:
    default: 2
    min: 2
  reset_bounce_score_after_days: 30
+  attachment_content_type_blacklist:
+    type: list
+    default: "pkcs7"
+  attachment_filename_blacklist:
+    type: list
+    default: "smime.p7s|signature.asc"


 files:
--- a/lib/email/receiver.rb
+++ b/lib/email/receiver.rb
@ -436,11 +436,14 @@ module Email
      raise InvalidPostAction.new(e)
    end

+
+
    def create_post_with_attachments(options={})
      # deal with attachments
      @mail.attachments.each do |attachment|
-        # always strip S/MIME signatures
-        next if attachment.content_type == "application/pkcs7-mime".freeze
+        # strip blacklisted attachments (mostly signatures)
+        next if attachment.content_type =~ SiteSetting.attachment_content_type_blacklist_regex
+        next if attachment.filename =~ SiteSetting.attachment_filename_blacklist_regex

        tmp = Tempfile.new("discourse-email-attachment")
        begin
--- a/lib/validators/upload_validator.rb
+++ b/lib/validators/upload_validator.rb
@ -5,10 +5,9 @@ module Validators; end
 class Validators::UploadValidator < ActiveModel::Validator

  def validate(upload)
-    # allow all attachments except S/MIME signatures
-    # cf. https://meta.discourse.org/t/strip-s-mime-signatures/46371
+    # check the attachment blacklist
    if upload.is_attachment_for_group_message && SiteSetting.allow_all_attachments_for_group_messages
-      return upload.original_filename != "smime.p7s".freeze
+      return upload.original_filename =~ SiteSetting.attachment_filename_blacklist_regex
    end

    extension = File.extname(upload.original_filename)[1..-1] || ""