Index: branches/5.2.x/core/kernel/utility/formatters/upload_formatter.php
===================================================================
diff -u -N -r16650 -r16687
--- branches/5.2.x/core/kernel/utility/formatters/upload_formatter.php	(.../upload_formatter.php)	(revision 16650)
+++ branches/5.2.x/core/kernel/utility/formatters/upload_formatter.php	(.../upload_formatter.php)	(revision 16687)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: upload_formatter.php 16650 2020-12-17 08:57:57Z alex $
+* @version	$Id: upload_formatter.php 16687 2021-03-16 08:28:30Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2011 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -217,7 +217,9 @@
 				// we can get mime type based on file content and don't use one, provided by the client
 //				$value['type'] = kUtil::mimeContentType($value['tmp_name']);
 
-				if ( getArrayValue($options, 'file_types') && !$this->extensionMatch($value['name'], $options['file_types']) ) {
+				if ( getArrayValue($options, 'file_types')
+					&& !$this->fileHelper->extensionMatch($value['name'], $options['file_types'])
+				) {
 					// match by file extensions
 					$error_params = Array (
 						'file_name' => $value['name'],
@@ -308,21 +310,18 @@
 	/**
 	 * Checks, that given file name has on of provided file extensions
 	 *
-	 * @param string $filename
-	 * @param string $file_types
-	 * @return bool
-	 * @access protected
+	 * @param string $filename   Filename.
+	 * @param string $file_types File types.
+	 *
+	 * @return     boolean
+	 * @deprecated 5.2.2-B2
+	 * @see        FileHelper::extensionMatch()
 	 */
 	protected function extensionMatch($filename, $file_types)
 	{
-		if ( preg_match_all('/\*\.(.*?)(;|$)/', $file_types, $regs) ) {
-			$file_extension = mb_strtolower(pathinfo($filename, PATHINFO_EXTENSION));
-			$file_extensions = array_map('mb_strtolower', $regs[1]);
+		kUtil::deprecatedMethod(__METHOD__, '5.2.2-B2', 'FileHelper::extensionMatch');
 
-			return in_array($file_extension, $file_extensions);
-		}
-
-		return true;
+		return $this->fileHelper->extensionMatch($filename, $file_types);
 	}
 
 	/**
Index: branches/5.2.x/core/units/helpers/upload_helper.php
===================================================================
diff -u -N -r16652 -r16687
--- branches/5.2.x/core/units/helpers/upload_helper.php	(.../upload_helper.php)	(revision 16652)
+++ branches/5.2.x/core/units/helpers/upload_helper.php	(.../upload_helper.php)	(revision 16687)
@@ -87,7 +87,8 @@
 		}
 
 		$filename = $this->fileHelper->ensureUniqueFilename($tmp_path, $filename);
-		$storage_format = $this->getStorageFormat($this->Application->GetVar('field'), $event);
+		$field_options = $this->getFieldOptions($this->Application->GetVar('field'), $event);
+		$storage_format = isset($field_options['storage_format']) ? $field_options['storage_format'] : false;
 
 		$file_path = $tmp_path . $filename;
 		$actual_file_path = $this->moveUploadedFile($file_path);
@@ -96,6 +97,16 @@
 			$this->resizeUploadedFile($file_path, $storage_format);
 		}
 
+		if ( getArrayValue($field_options, 'file_types')
+			&& !$this->fileHelper->extensionMatch(kUtil::removeTempExtension($filename), $field_options['file_types'])
+		) {
+			throw new kUploaderException('File is not an allowed file type.', 415);
+		}
+
+		if ( filesize($actual_file_path) > $field_options['max_size'] ) {
+			throw new kUploaderException('File size exceeds allowed limit.', 413);
+		}
+
 		$this->deleteTempFiles($tmp_path);
 
 		$thumbs_path = preg_replace('/^' . preg_quote(FULL_PATH, '/') . '/', '', $tmp_path, 1);
@@ -255,19 +266,22 @@
 	}
 
 	/**
-	 * Gets storage format for a given field.
+	 * Returns field options.
 	 *
-	 * @param string $field_name
-	 * @param kEvent $event
-	 * @return bool
+	 * @param string $field Field.
+	 * @param kEvent $event Event.
+	 *
+	 * @return array
 	 */
-	protected function getStorageFormat($field_name, kEvent $event)
+	protected function getFieldOptions($field, kEvent $event)
 	{
+		/** @var array $fields */
 		$fields = $this->Application->getUnitOption($event->Prefix, 'Fields');
+
+		/** @var array $virtual_fields */
 		$virtual_fields = $this->Application->getUnitOption($event->Prefix, 'VirtualFields');
-		$field_options = array_key_exists($field_name, $fields) ? $fields[$field_name] : $virtual_fields[$field_name];
 
-		return isset($field_options['storage_format']) ? $field_options['storage_format'] : false;
+		return array_key_exists($field, $fields) ? $fields[$field] : $virtual_fields[$field];
 	}
 
 	/**
Index: branches/5.2.x/core/units/helpers/file_helper.php
===================================================================
diff -u -N -r16513 -r16687
--- branches/5.2.x/core/units/helpers/file_helper.php	(.../file_helper.php)	(revision 16513)
+++ branches/5.2.x/core/units/helpers/file_helper.php	(.../file_helper.php)	(revision 16687)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: file_helper.php 16513 2017-01-20 14:10:53Z alex $
+* @version	$Id: file_helper.php 16687 2021-03-16 08:28:30Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -481,4 +481,25 @@
 
 			return $new_name;
 		}
+
+		/**
+		 * Checks, that given file name has on of provided file extensions
+		 *
+		 * @param string $filename   Filename.
+		 * @param string $file_types File types.
+		 *
+		 * @return boolean
+		 */
+		public function extensionMatch($filename, $file_types)
+		{
+			if ( preg_match_all('/\*\.(.*?)(;|$)/', $file_types, $regs) ) {
+				$file_extension = mb_strtolower(pathinfo($filename, PATHINFO_EXTENSION));
+				$file_extensions = array_map('mb_strtolower', $regs[1]);
+
+				return in_array($file_extension, $file_extensions);
+			}
+
+			return true;
+		}
+
 	}