Skip to content
Permalink
Browse files

FEATURE: new email attachment blacklists site settings

  • Loading branch information...
ZogStriP committed Aug 3, 2016
1 parent cb80978 commit e92f5e4fbf04a88d37dc5069917090abf6c07dec
@@ -109,6 +109,14 @@ def self.min_redirected_to_top_period
def self.email_polling_enabled?
SiteSetting.manual_polling_enabled? || SiteSetting.pop3_polling_enabled?
end

def self.attachment_content_type_blacklist_regex
@attachment_content_type_blacklist_regex ||= Regexp.union(SiteSetting.attachment_content_type_blacklist.split("|"))
end

def self.attachment_filename_blacklist_regex
@attachment_filename_blacklist_regex ||= Regexp.union(SiteSetting.attachment_filename_blacklist.split("|"))
end
end

# == Schema Information
@@ -1218,6 +1218,9 @@ en:
bounce_score_threshold_deactivate: "Max bounce score before we will deactivate a user."
reset_bounce_score_after_days: "Automatically reset bounce score after X days."

attachment_content_type_blacklist: "List of keywords used to blacklist attachments based on the content type."
attachment_filename_blacklist: "List of keywords used to blacklist attachments based on the filename."

manual_polling_enabled: "Push emails using the API for email replies."
pop3_polling_enabled: "Poll via POP3 for email replies."
pop3_polling_ssl: "Use SSL while connecting to the POP3 server. (Recommended)"
@@ -630,6 +630,12 @@ email:
default: 2
min: 2
reset_bounce_score_after_days: 30
attachment_content_type_blacklist:
type: list
default: "pkcs7"
attachment_filename_blacklist:
type: list
default: "smime.p7s|signature.asc"


files:
@@ -436,11 +436,14 @@ def create_post_action(user, post, type)
raise InvalidPostAction.new(e)
end



def create_post_with_attachments(options={})
# deal with attachments
@mail.attachments.each do |attachment|
# always strip S/MIME signatures
next if attachment.content_type == "application/pkcs7-mime".freeze
# strip blacklisted attachments (mostly signatures)
next if attachment.content_type =~ SiteSetting.attachment_content_type_blacklist_regex
next if attachment.filename =~ SiteSetting.attachment_filename_blacklist_regex

tmp = Tempfile.new("discourse-email-attachment")
begin
@@ -5,10 +5,9 @@ module Validators; end
class Validators::UploadValidator < ActiveModel::Validator

def validate(upload)
# allow all attachments except S/MIME signatures
# cf. https://meta.discourse.org/t/strip-s-mime-signatures/46371
# check the attachment blacklist
if upload.is_attachment_for_group_message && SiteSetting.allow_all_attachments_for_group_messages
return upload.original_filename != "smime.p7s".freeze
return upload.original_filename =~ SiteSetting.attachment_filename_blacklist_regex
end

extension = File.extname(upload.original_filename)[1..-1] || ""

1 comment on commit e92f5e4

@discoursebot

This comment has been minimized.

Copy link

discoursebot commented on e92f5e4 Nov 8, 2019

This commit has been mentioned on Discourse Meta. There might be relevant details there:

https://meta.discourse.org/t/why-does-discourse-block-cryptographic-signatures-by-default/132912/1

Please sign in to comment.
You can’t perform that action at this time.