Added configuration to the allowed file extension.

api/src/main/java/org/openmrs/module/attachments/AttachmentsConstants.java

@@ -112,6 +112,10 @@ public static enum ContentFamily {
 
 	public static final String GP_MAX_STORAGE_FILE_SIZE = MODULE_ARTIFACT_ID + ".maxStorageFileSize";
 
+	public static final String GP_ALLOWED_FILE_EXTENSIONS = MODULE_ARTIFACT_ID + ".allowedFileExtensions";
+
+	public static final String GP_DENIED_FILE_NAMES = MODULE_ARTIFACT_ID + ".deniedFileNames";
+
 	public static final String GP_WEBCAM_ALLOWED = MODULE_ARTIFACT_ID + ".allowWebcam";
 
 	public static final String GP_ENCOUNTER_SAVING_FLOW = MODULE_ARTIFACT_ID + ".encounterSavingFlow";

api/src/main/java/org/openmrs/module/attachments/AttachmentsContext.java

@@ -189,6 +189,14 @@ public Encounter getAttachmentEncounter(Patient patient, Visit visit, Provider p
 		return encounter;
 	}
 
+	/*
+	 * @return An array of comma-separated values for the named global property
+	 */
+	protected String[] getCommaSeparatedGlobalPropertyValues(String globalPropertyName) {
+		String globalProperty = administrationService.getGlobalProperty(globalPropertyName);
+		return StringUtils.isEmpty(globalProperty) ? new String[0] : globalProperty.split(",");
+	}
+
 	/*
 	 * See super#getIntegerByGlobalProperty(String globalPropertyName)
 	 */
@@ -330,6 +338,20 @@ public Double getMaxUploadFileSize() {
 		return getDoubleByGlobalProperty(AttachmentsConstants.GP_MAX_UPLOAD_FILE_SIZE);
 	}
 
+	/**
+	 * @return The allowed file extensions.
+	 */
+	public String[] getAllowedFileExtensions() {
+		return getCommaSeparatedGlobalPropertyValues(AttachmentsConstants.GP_ALLOWED_FILE_EXTENSIONS);
+	}
+
+	/**
+	 * @return The denied file names.
+	 */
+	public String[] getDeniedFileNames() {
+		return getCommaSeparatedGlobalPropertyValues(AttachmentsConstants.GP_DENIED_FILE_NAMES);
+	}
+
 	/**
 	 * @return The max file size allowed to be stored (in Megabytes).
 	 */

omod/src/main/java/org/openmrs/module/attachments/rest/AttachmentResource.java

@@ -9,9 +9,11 @@
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;
 
 import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.lang.ArrayUtils;
 import org.apache.commons.lang.BooleanUtils;
 import org.apache.commons.lang.StringUtils;
 import org.openmrs.Encounter;
@@ -114,6 +116,20 @@ public Object upload(MultipartFile file, RequestContext context) throws Response
 			throw new IllegalRequestException("The file  exceeds the maximum size");
 		}
 
+		// Verify file extension
+		String fileName = file.getOriginalFilename();
+		int idx = fileName.lastIndexOf(".");
+		String fileExtension = idx > 0 && idx < fileName.length() - 1 ? fileName.substring(idx + 1) : "";
+		if (!Arrays.stream(ctx.getAllowedFileExtensions()).filter(e -> e.equalsIgnoreCase(fileExtension)).findAny()
+		        .isPresent()) {
+			throw new IllegalRequestException("The extension is not valid");
+		}
+
+		// Verify file name
+		if (Arrays.stream(ctx.getAllowedFileExtensions()).filter(e -> e.equalsIgnoreCase(fileName)).findAny().isPresent()) {
+			throw new IllegalRequestException("The file name is not valid");
+		}
+
 		// Verify Parameters
 		if (patient == null) {
 			throw new IllegalRequestException("A patient parameter must be provided when uploading an attachment.");

omod/src/main/resources/config.xml

@@ -105,6 +105,22 @@
 		</description>
 	</globalProperty>
 
+	<globalProperty>
+		<property>${project.parent.artifactId}.allowedFileExtensions</property>
+		<defaultValue/>
+		<description>
+			Comma-separated list of case-insensitive file extensions that are allowed to be uploaded.
+		</description>
+	</globalProperty>
+
+	<globalProperty>
+		<property>${project.parent.artifactId}.deniedFileNames</property>
+		<defaultValue>eicar.txt</defaultValue>
+		<description>
+			Comma-separated list of case-insensitive file names that will be rejected if the attached file has this name.
+		</description>
+	</globalProperty>
+
 	<globalProperty>
 		<property>${project.parent.artifactId}.encounterSavingFlow</property>
 		<defaultValue></defaultValue>