From e92f5e4fbf04a88d37dc5069917090abf6c07dec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9gis=20Hanol?= Date: Wed, 3 Aug 2016 17:55:54 +0200 Subject: [PATCH] FEATURE: new email attachment blacklists site settings --- app/models/site_setting.rb | 8 ++++++++ config/locales/server.en.yml | 3 +++ config/site_settings.yml | 6 ++++++ lib/email/receiver.rb | 7 +++++-- lib/validators/upload_validator.rb | 5 ++--- 5 files changed, 24 insertions(+), 5 deletions(-) diff --git a/app/models/site_setting.rb b/app/models/site_setting.rb index 9b694bca9..dcc74ecfc 100644 --- a/app/models/site_setting.rb +++ b/app/models/site_setting.rb @@ -109,6 +109,14 @@ class SiteSetting < ActiveRecord::Base def self.email_polling_enabled? SiteSetting.manual_polling_enabled? || SiteSetting.pop3_polling_enabled? end + + def self.attachment_content_type_blacklist_regex + @attachment_content_type_blacklist_regex ||= Regexp.union(SiteSetting.attachment_content_type_blacklist.split("|")) + end + + def self.attachment_filename_blacklist_regex + @attachment_filename_blacklist_regex ||= Regexp.union(SiteSetting.attachment_filename_blacklist.split("|")) + end end # == Schema Information diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml index 4b8d9fa66..dd1488a33 100644 --- a/config/locales/server.en.yml +++ b/config/locales/server.en.yml @@ -1218,6 +1218,9 @@ en: bounce_score_threshold_deactivate: "Max bounce score before we will deactivate a user." reset_bounce_score_after_days: "Automatically reset bounce score after X days." + attachment_content_type_blacklist: "List of keywords used to blacklist attachments based on the content type." + attachment_filename_blacklist: "List of keywords used to blacklist attachments based on the filename." + manual_polling_enabled: "Push emails using the API for email replies." pop3_polling_enabled: "Poll via POP3 for email replies." pop3_polling_ssl: "Use SSL while connecting to the POP3 server. (Recommended)" diff --git a/config/site_settings.yml b/config/site_settings.yml index ac14b4cda..8d6128c3b 100644 --- a/config/site_settings.yml +++ b/config/site_settings.yml @@ -630,6 +630,12 @@ email: default: 2 min: 2 reset_bounce_score_after_days: 30 + attachment_content_type_blacklist: + type: list + default: "pkcs7" + attachment_filename_blacklist: + type: list + default: "smime.p7s|signature.asc" files: diff --git a/lib/email/receiver.rb b/lib/email/receiver.rb index 7a2eda855..a5ff182df 100644 --- a/lib/email/receiver.rb +++ b/lib/email/receiver.rb @@ -436,11 +436,14 @@ module Email raise InvalidPostAction.new(e) end + + def create_post_with_attachments(options={}) # deal with attachments @mail.attachments.each do |attachment| - # always strip S/MIME signatures - next if attachment.content_type == "application/pkcs7-mime".freeze + # strip blacklisted attachments (mostly signatures) + next if attachment.content_type =~ SiteSetting.attachment_content_type_blacklist_regex + next if attachment.filename =~ SiteSetting.attachment_filename_blacklist_regex tmp = Tempfile.new("discourse-email-attachment") begin diff --git a/lib/validators/upload_validator.rb b/lib/validators/upload_validator.rb index 23cfe2f81..9d871ba52 100644 --- a/lib/validators/upload_validator.rb +++ b/lib/validators/upload_validator.rb @@ -5,10 +5,9 @@ module Validators; end class Validators::UploadValidator < ActiveModel::Validator def validate(upload) - # allow all attachments except S/MIME signatures - # cf. https://meta.discourse.org/t/strip-s-mime-signatures/46371 + # check the attachment blacklist if upload.is_attachment_for_group_message && SiteSetting.allow_all_attachments_for_group_messages - return upload.original_filename != "smime.p7s".freeze + return upload.original_filename =~ SiteSetting.attachment_filename_blacklist_regex end extension = File.extname(upload.original_filename)[1..-1] || ""