diff --git a/api/src/main/java/org/openmrs/module/attachments/AttachmentsConstants.java b/api/src/main/java/org/openmrs/module/attachments/AttachmentsConstants.java
index ff76ba88..7185fd7e 100644
--- a/api/src/main/java/org/openmrs/module/attachments/AttachmentsConstants.java
+++ b/api/src/main/java/org/openmrs/module/attachments/AttachmentsConstants.java
@@ -112,6 +112,10 @@ public static enum ContentFamily {
public static final String GP_MAX_STORAGE_FILE_SIZE = MODULE_ARTIFACT_ID + ".maxStorageFileSize";
+ public static final String GP_ALLOWED_FILE_EXTENSIONS = MODULE_ARTIFACT_ID + ".allowedFileExtensions";
+
+ public static final String GP_DENIED_FILE_NAMES = MODULE_ARTIFACT_ID + ".deniedFileNames";
+
public static final String GP_WEBCAM_ALLOWED = MODULE_ARTIFACT_ID + ".allowWebcam";
public static final String GP_ENCOUNTER_SAVING_FLOW = MODULE_ARTIFACT_ID + ".encounterSavingFlow";
diff --git a/api/src/main/java/org/openmrs/module/attachments/AttachmentsContext.java b/api/src/main/java/org/openmrs/module/attachments/AttachmentsContext.java
index cc409b6d..d5081fd0 100644
--- a/api/src/main/java/org/openmrs/module/attachments/AttachmentsContext.java
+++ b/api/src/main/java/org/openmrs/module/attachments/AttachmentsContext.java
@@ -189,6 +189,14 @@ public Encounter getAttachmentEncounter(Patient patient, Visit visit, Provider p
return encounter;
}
+ /*
+ * @return An array of comma-separated values for the named global property
+ */
+ protected String[] getCommaSeparatedGlobalPropertyValues(String globalPropertyName) {
+ String globalProperty = administrationService.getGlobalProperty(globalPropertyName);
+ return StringUtils.isEmpty(globalProperty) ? new String[0] : globalProperty.split(",");
+ }
+
/*
* See super#getIntegerByGlobalProperty(String globalPropertyName)
*/
@@ -330,6 +338,20 @@ public Double getMaxUploadFileSize() {
return getDoubleByGlobalProperty(AttachmentsConstants.GP_MAX_UPLOAD_FILE_SIZE);
}
+ /**
+ * @return The allowed file extensions.
+ */
+ public String[] getAllowedFileExtensions() {
+ return getCommaSeparatedGlobalPropertyValues(AttachmentsConstants.GP_ALLOWED_FILE_EXTENSIONS);
+ }
+
+ /**
+ * @return The denied file names.
+ */
+ public String[] getDeniedFileNames() {
+ return getCommaSeparatedGlobalPropertyValues(AttachmentsConstants.GP_DENIED_FILE_NAMES);
+ }
+
/**
* @return The max file size allowed to be stored (in Megabytes).
*/
diff --git a/omod/src/main/java/org/openmrs/module/attachments/rest/AttachmentResource.java b/omod/src/main/java/org/openmrs/module/attachments/rest/AttachmentResource.java
index d8401511..c81ee086 100644
--- a/omod/src/main/java/org/openmrs/module/attachments/rest/AttachmentResource.java
+++ b/omod/src/main/java/org/openmrs/module/attachments/rest/AttachmentResource.java
@@ -9,9 +9,11 @@
import java.io.InputStream;
import java.io.OutputStream;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.List;
import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.BooleanUtils;
import org.apache.commons.lang.StringUtils;
import org.openmrs.Encounter;
@@ -114,6 +116,21 @@ public Object upload(MultipartFile file, RequestContext context) throws Response
throw new IllegalRequestException("The file exceeds the maximum size");
}
+ // Verify file extension
+ String fileName = file.getOriginalFilename();
+ int idx = fileName.lastIndexOf(".");
+ String fileExtension = idx > 0 && idx < fileName.length() - 1 ? fileName.substring(idx + 1) : "";
+ if (!ArrayUtils.isEmpty(ctx.getAllowedFileExtensions()) && !Arrays.stream(ctx.getAllowedFileExtensions())
+ .filter(e -> e.equalsIgnoreCase(fileExtension)).findAny().isPresent()) {
+ throw new IllegalRequestException("The extension is not valid");
+ }
+
+ // Verify file name
+ if (!ArrayUtils.isEmpty(ctx.getDeniedFileNames())
+ && Arrays.stream(ctx.getDeniedFileNames()).filter(e -> e.equalsIgnoreCase(fileName)).findAny().isPresent()) {
+ throw new IllegalRequestException("The file name is not valid");
+ }
+
// Verify Parameters
if (patient == null) {
throw new IllegalRequestException("A patient parameter must be provided when uploading an attachment.");
diff --git a/omod/src/main/resources/config.xml b/omod/src/main/resources/config.xml
index 7acceba5..9b717802 100644
--- a/omod/src/main/resources/config.xml
+++ b/omod/src/main/resources/config.xml
@@ -105,6 +105,22 @@
+
+ ${project.parent.artifactId}.allowedFileExtensions
+
+
+ Comma-separated list of case-insensitive file extensions that are allowed to be uploaded.
+
+
+
+
+ ${project.parent.artifactId}.deniedFileNames
+ eicar.txt
+
+ Comma-separated list of case-insensitive file names that will be rejected if the attached file has this name.
+
+
+
${project.parent.artifactId}.encounterSavingFlow