FEATURE: new email attachment blacklists site settings

app/models/site_setting.rb

@@ -109,6 +109,14 @@ class SiteSetting < ActiveRecord::Base
   def self.email_polling_enabled?
     SiteSetting.manual_polling_enabled? || SiteSetting.pop3_polling_enabled?
   end
+
+  def self.attachment_content_type_blacklist_regex
+    @attachment_content_type_blacklist_regex ||= Regexp.union(SiteSetting.attachment_content_type_blacklist.split("|"))
+  end
+
+  def self.attachment_filename_blacklist_regex
+    @attachment_filename_blacklist_regex ||= Regexp.union(SiteSetting.attachment_filename_blacklist.split("|"))
+  end
 end
 
 # == Schema Information

config/locales/server.en.yml

@@ -1218,6 +1218,9 @@ en:
     bounce_score_threshold_deactivate: "Max bounce score before we will deactivate a user."
     reset_bounce_score_after_days: "Automatically reset bounce score after X days."
 
+    attachment_content_type_blacklist: "List of keywords used to blacklist attachments based on the content type."
+    attachment_filename_blacklist: "List of keywords used to blacklist attachments based on the filename."
+
     manual_polling_enabled: "Push emails using the API for email replies."
     pop3_polling_enabled: "Poll via POP3 for email replies."
     pop3_polling_ssl: "Use SSL while connecting to the POP3 server. (Recommended)"

config/site_settings.yml

@@ -630,6 +630,12 @@ email:
     default: 2
     min: 2
   reset_bounce_score_after_days: 30
+  attachment_content_type_blacklist:
+    type: list
+    default: "pkcs7"
+  attachment_filename_blacklist:
+    type: list
+    default: "smime.p7s|signature.asc"
 
 
 files:

lib/email/receiver.rb

@@ -436,11 +436,14 @@ module Email
       raise InvalidPostAction.new(e)
     end
 
+
+
     def create_post_with_attachments(options={})
       # deal with attachments
       @mail.attachments.each do |attachment|
-        # always strip S/MIME signatures
+        # strip blacklisted attachments (mostly signatures)
-        next if attachment.content_type == "application/pkcs7-mime".freeze
+        next if attachment.content_type =~ SiteSetting.attachment_content_type_blacklist_regex
+        next if attachment.filename =~ SiteSetting.attachment_filename_blacklist_regex
 
         tmp = Tempfile.new("discourse-email-attachment")
         begin

lib/validators/upload_validator.rb

@@ -5,10 +5,9 @@ module Validators; end
 class Validators::UploadValidator < ActiveModel::Validator
 
   def validate(upload)
-    # allow all attachments except S/MIME signatures
+    # check the attachment blacklist
-    # cf. https://meta.discourse.org/t/strip-s-mime-signatures/46371
     if upload.is_attachment_for_group_message && SiteSetting.allow_all_attachments_for_group_messages
-      return upload.original_filename != "smime.p7s".freeze
+      return upload.original_filename =~ SiteSetting.attachment_filename_blacklist_regex
     end
 
     extension = File.extname(upload.original_filename)[1..-1] || ""