Index: branches/5.2.x/core/units/helpers/upload_helper.php
===================================================================
diff -u -N -r16652 -r16687
--- branches/5.2.x/core/units/helpers/upload_helper.php	(.../upload_helper.php)	(revision 16652)
+++ branches/5.2.x/core/units/helpers/upload_helper.php	(.../upload_helper.php)	(revision 16687)
@@ -87,7 +87,8 @@
 		}
 
 		$filename = $this->fileHelper->ensureUniqueFilename($tmp_path, $filename);
-		$storage_format = $this->getStorageFormat($this->Application->GetVar('field'), $event);
+		$field_options = $this->getFieldOptions($this->Application->GetVar('field'), $event);
+		$storage_format = isset($field_options['storage_format']) ? $field_options['storage_format'] : false;
 
 		$file_path = $tmp_path . $filename;
 		$actual_file_path = $this->moveUploadedFile($file_path);
@@ -96,6 +97,16 @@
 			$this->resizeUploadedFile($file_path, $storage_format);
 		}
 
+		if ( getArrayValue($field_options, 'file_types')
+			&& !$this->fileHelper->extensionMatch(kUtil::removeTempExtension($filename), $field_options['file_types'])
+		) {
+			throw new kUploaderException('File is not an allowed file type.', 415);
+		}
+
+		if ( filesize($actual_file_path) > $field_options['max_size'] ) {
+			throw new kUploaderException('File size exceeds allowed limit.', 413);
+		}
+
 		$this->deleteTempFiles($tmp_path);
 
 		$thumbs_path = preg_replace('/^' . preg_quote(FULL_PATH, '/') . '/', '', $tmp_path, 1);
@@ -255,19 +266,22 @@
 	}
 
 	/**
-	 * Gets storage format for a given field.
+	 * Returns field options.
 	 *
-	 * @param string $field_name
-	 * @param kEvent $event
-	 * @return bool
+	 * @param string $field Field.
+	 * @param kEvent $event Event.
+	 *
+	 * @return array
 	 */
-	protected function getStorageFormat($field_name, kEvent $event)
+	protected function getFieldOptions($field, kEvent $event)
 	{
+		/** @var array $fields */
 		$fields = $this->Application->getUnitOption($event->Prefix, 'Fields');
+
+		/** @var array $virtual_fields */
 		$virtual_fields = $this->Application->getUnitOption($event->Prefix, 'VirtualFields');
-		$field_options = array_key_exists($field_name, $fields) ? $fields[$field_name] : $virtual_fields[$field_name];
 
-		return isset($field_options['storage_format']) ? $field_options['storage_format'] : false;
+		return array_key_exists($field, $fields) ? $fields[$field] : $virtual_fields[$field];
 	}
 
 	/**