From 89f13437df1514e3cf0fdee28c924c80cc8d7643 Mon Sep 17 00:00:00 2001
From: Tim Steiner <tsteiner2@unl.edu>
Date: Mon, 30 Jun 2008 21:37:05 +0000
Subject: [PATCH] Limit the types of files that may be attached to requests.

---
 .../modules/courses/controllers/EditController.php   |  4 ++++
 .../modules/courses/views/scripts/edit/index.phtml   | 12 +++++++++---
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/application/modules/courses/controllers/EditController.php b/application/modules/courses/controllers/EditController.php
index 122add47..ae6ab5dd 100644
--- a/application/modules/courses/controllers/EditController.php
+++ b/application/modules/courses/controllers/EditController.php
@@ -121,6 +121,10 @@ class Courses_EditController extends App_Controller_Action
         	}
 	        if ($_FILES['request']['error'][$fileType] === 0) {
 	            $title = $_FILES['request']['name'][$fileType];
+	            $fileExtension = array_pop(explode('.', $title));
+	            if (!in_array($fileExtension, array('rtf', 'pdf', 'odt', 'doc'))) {
+	            	continue;
+	            }
 	            $mimeType = $_FILES['request']['type'][$fileType];
 	            $content = file_get_contents($_FILES['request']['tmp_name'][$fileType]);
 	            $request->setFile($fileType, $title, $mimeType, $content);
diff --git a/application/modules/courses/views/scripts/edit/index.phtml b/application/modules/courses/views/scripts/edit/index.phtml
index 2a29b447..df96a94e 100644
--- a/application/modules/courses/views/scripts/edit/index.phtml
+++ b/application/modules/courses/views/scripts/edit/index.phtml
@@ -820,7 +820,6 @@ if (in_array($this->request->getType(), array('NewCourseWithACE', 'AddACEToCours
 <div class="main_section">
 <h2>Supportive Material</h2>
 
-
     <?php if (!in_array($this->request->getType(), array('AddACEToCourse', 'RemoveACEFromCourse'))) { ?>
     <fieldset>
         <label>
@@ -832,7 +831,6 @@ if (in_array($this->request->getType(), array('NewCourseWithACE', 'AddACEToCours
     <input type="hidden" name="request[justification]" value="See ACE Certification Details" />
     <?php } ?>
 
-
     <fieldset>
         <label>
             <?php if (in_array($this->request->getType(), array('NewCourse', 'NewCourseWithIS', 'NewCourseWithACE', 'AddACEToCourse', 'AddACEAndChangeCourse'))) { ?>
@@ -971,7 +969,15 @@ if (in_array($this->request->getType(), array('NewCourseWithACE', 'AddACEToCours
         <?php } ?>
     </fieldset>
 
-
+    <div id="allowedFileTypes">
+        Allowed file types for attachments are:
+        <ul>
+            <li><a href="http://en.wikipedia.org/wiki/Rich_text_format" target="_new">Rich Text Format (.rtf)</a></li>
+            <li><a href="http://en.wikipedia.org/wiki/Portable_document_format" target="_new">Portable Document Format (.pdf)</a></li>
+            <li><a href="http://en.wikipedia.org/wiki/Open_document_format" target="_new">OpenDocument Text (.odt)</a><li>
+            <li><a href="http://en.wikipedia.org/wiki/DOC_(computing)" target="_new">MS Word Documents (.doc)</a></li>
+        </ul>
+    </div>
 
 </div>
 
-- 
GitLab