diff --git a/src/IDF/Form/Upload.php b/src/IDF/Form/Upload.php
index 917a2f7..fee3631 100644
--- a/src/IDF/Form/Upload.php
+++ b/src/IDF/Form/Upload.php
@@ -48,6 +48,7 @@ class IDF_Form_Upload extends Pluf_Form
                                       array('required' => true,
                                             'label' => __('File'),
                                             'initial' => '',
+                                            'max_size' => Pluf::f('max_upload_size', 2097152),
                                             'move_function_params' => array('upload_path' => Pluf::f('upload_path').'/'.$this->project->shortname.'/files',
                                                                             'upload_path_create' => true,
                                                                             'upload_overwrite' => false),
@@ -68,7 +69,9 @@ class IDF_Form_Upload extends Pluf_Form
 
     public function clean_file()
     {
-        if (!preg_match('/\.(png|jpg|jpeg|gif|bmp|psd|tif|aiff|asf|avi|bz2|css|doc|eps|gz|mdtext|mid|mov|mp3|mpg|ogg|pdf|ppt|ps|qt|ra|ram|rm|rtf|sdd|sdw|sit|sxi|sxw|swf|tgz|txt|wav|xls|xml|wmv|zip)$/i', $this->cleaned_data['file'])) {
+        $extra = strtolower(implode('|', explode(' ', Pluf::f('idf_extra_upload_ext'))));
+        if (strlen($extra)) $extra .= '|';
+        if (!preg_match('/\.('.$extra.'png|jpg|jpeg|gif|bmp|psd|tif|aiff|asf|avi|bz2|css|doc|eps|gz|mdtext|mid|mov|mp3|mpg|ogg|pdf|ppt|ps|qt|ra|ram|rm|rtf|sdd|sdw|sit|sxi|sxw|swf|tgz|txt|wav|xls|xml|wmv|zip)$/i', $this->cleaned_data['file'])) {
             throw new Pluf_Form_Invalid(__('For security reason, you cannot upload a file with this extension.'));
         }
         return $this->cleaned_data['file'];
diff --git a/src/IDF/conf/idf.php-dist b/src/IDF/conf/idf.php-dist
index 8aca31f..f9bb11d 100644
--- a/src/IDF/conf/idf.php-dist
+++ b/src/IDF/conf/idf.php-dist
@@ -159,6 +159,13 @@ $cfg['db_table_prefix'] = 'indefero_';
 $cfg['db_engine'] = 'PostgreSQL'; # SQLite is also well tested or MySQL
 $cfg['db_database'] = 'website'; # put absolute path to the db if you
                                  # are using SQLite. 
+#
+# The extension of the downloads are limited. You can add extra
+# extensions here.
+# $cfg['idf_extra_upload_ext'] = 'ext1 ext2';
+#
+# By default, the size of the downloads is limited to 2MB.
+# $cfg['max_upload_size'] = 2097152; // Size in bytes
 
 # -- From this point you should not need to update anything. --
 $cfg['pear_path'] = '/usr/share/php';