FEATURE: new email attachment blacklists site settings

FEATURE: new email attachment blacklists site settings

diff --git a/app/models/site_setting.rb b/app/models/site_setting.rb
index 9b694bca95..dcc74ecfc3 100644
--- a/app/models/site_setting.rb
+++ b/app/models/site_setting.rb
@@ -109,6 +109,14 @@ class SiteSetting < ActiveRecord::Base
   def self.email_polling_enabled?
     SiteSetting.manual_polling_enabled? || SiteSetting.pop3_polling_enabled?
   end
+
+  def self.attachment_content_type_blacklist_regex
+    @attachment_content_type_blacklist_regex ||= Regexp.union(SiteSetting.attachment_content_type_blacklist.split("|"))
+  end
+
+  def self.attachment_filename_blacklist_regex
+    @attachment_filename_blacklist_regex ||= Regexp.union(SiteSetting.attachment_filename_blacklist.split("|"))
+  end
 end
 
 # == Schema Information
diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
index 4b8d9fa667..dd1488a334 100644
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@@ -1218,6 +1218,9 @@ en:
     bounce_score_threshold_deactivate: "Max bounce score before we will deactivate a user."
     reset_bounce_score_after_days: "Automatically reset bounce score after X days."
 
+    attachment_content_type_blacklist: "List of keywords used to blacklist attachments based on the content type."
+    attachment_filename_blacklist: "List of keywords used to blacklist attachments based on the filename."
+
     manual_polling_enabled: "Push emails using the API for email replies."
     pop3_polling_enabled: "Poll via POP3 for email replies."
     pop3_polling_ssl: "Use SSL while connecting to the POP3 server. (Recommended)"
diff --git a/config/site_settings.yml b/config/site_settings.yml
index ac14b4cda1..8d6128c3b6 100644
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@@ -630,6 +630,12 @@ email:
     default: 2
     min: 2
   reset_bounce_score_after_days: 30
+  attachment_content_type_blacklist:
+    type: list
+    default: "pkcs7"
+  attachment_filename_blacklist:
+    type: list
+    default: "smime.p7s|signature.asc"
 
 
 files:
diff --git a/lib/email/receiver.rb b/lib/email/receiver.rb
index 7a2eda855c..a5ff182dfb 100644
--- a/lib/email/receiver.rb
+++ b/lib/email/receiver.rb
@@ -436,11 +436,14 @@ module Email
       raise InvalidPostAction.new(e)
     end
 
+
+
     def create_post_with_attachments(options={})
       # deal with attachments
       @mail.attachments.each do |attachment|
-        # always strip S/MIME signatures
-        next if attachment.content_type == "application/pkcs7-mime".freeze
+        # strip blacklisted attachments (mostly signatures)
+        next if attachment.content_type =~ SiteSetting.attachment_content_type_blacklist_regex
+        next if attachment.filename =~ SiteSetting.attachment_filename_blacklist_regex
 
         tmp = Tempfile.new("discourse-email-attachment")
         begin
diff --git a/lib/validators/upload_validator.rb b/lib/validators/upload_validator.rb
index 23cfe2f811..9d871ba520 100644
--- a/lib/validators/upload_validator.rb
+++ b/lib/validators/upload_validator.rb
@@ -5,10 +5,9 @@ module Validators; end
 class Validators::UploadValidator < ActiveModel::Validator
 
   def validate(upload)
-    # allow all attachments except S/MIME signatures
-    # cf. https://meta.discourse.org/t/strip-s-mime-signatures/46371
+    # check the attachment blacklist
     if upload.is_attachment_for_group_message && SiteSetting.allow_all_attachments_for_group_messages
-      return upload.original_filename != "smime.p7s".freeze
+      return upload.original_filename =~ SiteSetting.attachment_filename_blacklist_regex
     end
 
     extension = File.extname(upload.original_filename)[1..-1] || ""

GitHub sha: e92f5e4f

This commit has been mentioned on Discourse Meta. There might be relevant details there: