FEATURE: new email attachment blacklists site settings

This commit is contained in:
Régis Hanol 2016-08-03 17:55:54 +02:00
parent cb809784df
commit e92f5e4fbf
5 changed files with 24 additions and 5 deletions

View file

@ -109,6 +109,14 @@ class SiteSetting < ActiveRecord::Base
def self.email_polling_enabled?
SiteSetting.manual_polling_enabled? || SiteSetting.pop3_polling_enabled?
end
def self.attachment_content_type_blacklist_regex
@attachment_content_type_blacklist_regex ||= Regexp.union(SiteSetting.attachment_content_type_blacklist.split("|"))
end
def self.attachment_filename_blacklist_regex
@attachment_filename_blacklist_regex ||= Regexp.union(SiteSetting.attachment_filename_blacklist.split("|"))
end
end
# == Schema Information

View file

@ -1218,6 +1218,9 @@ en:
bounce_score_threshold_deactivate: "Max bounce score before we will deactivate a user."
reset_bounce_score_after_days: "Automatically reset bounce score after X days."
attachment_content_type_blacklist: "List of keywords used to blacklist attachments based on the content type."
attachment_filename_blacklist: "List of keywords used to blacklist attachments based on the filename."
manual_polling_enabled: "Push emails using the API for email replies."
pop3_polling_enabled: "Poll via POP3 for email replies."
pop3_polling_ssl: "Use SSL while connecting to the POP3 server. (Recommended)"

View file

@ -630,6 +630,12 @@ email:
default: 2
min: 2
reset_bounce_score_after_days: 30
attachment_content_type_blacklist:
type: list
default: "pkcs7"
attachment_filename_blacklist:
type: list
default: "smime.p7s|signature.asc"
files:

View file

@ -436,11 +436,14 @@ module Email
raise InvalidPostAction.new(e)
end
def create_post_with_attachments(options={})
# deal with attachments
@mail.attachments.each do |attachment|
# always strip S/MIME signatures
next if attachment.content_type == "application/pkcs7-mime".freeze
# strip blacklisted attachments (mostly signatures)
next if attachment.content_type =~ SiteSetting.attachment_content_type_blacklist_regex
next if attachment.filename =~ SiteSetting.attachment_filename_blacklist_regex
tmp = Tempfile.new("discourse-email-attachment")
begin

View file

@ -5,10 +5,9 @@ module Validators; end
class Validators::UploadValidator < ActiveModel::Validator
def validate(upload)
# allow all attachments except S/MIME signatures
# cf. https://meta.discourse.org/t/strip-s-mime-signatures/46371
# check the attachment blacklist
if upload.is_attachment_for_group_message && SiteSetting.allow_all_attachments_for_group_messages
return upload.original_filename != "smime.p7s".freeze
return upload.original_filename =~ SiteSetting.attachment_filename_blacklist_regex
end
extension = File.extname(upload.original_filename)[1..-1] || ""