Merge pull request #2618 from greezybacon/issue/2615

files: Verify files attached to a FileUploadField Reviewed-By: Peter Rotich <peter@osticket.com>
osTicket · Oct 5, 2015 · f9ac032 · f9ac032
2 parents b1c845b + 2053740
commit f9ac032
Showing 1 changed file with 24 additions and 1 deletion.
diff --git a/include/class.forms.php b/include/class.forms.php
@@ -1517,6 +1517,9 @@ function ajaxUpload($bypass=false) {
         if (!($id = AttachmentFile::upload($file)))
             Http::response(500, 'Unable to store file: '. $file['error']);
 
+        // This file is allowed for attachment in this session
+        $_SESSION[':uploadedFiles'][$id] = 1;
+
         return $id;
     }
 
@@ -2206,7 +2209,27 @@ function getValue() {
         elseif ($data && is_array($data) && !isset($data[$this->name]))
             return array();
 
-        return parent::getValue();
+
+        // Files uploaded here MUST have been uploaded by this user and
+        // identified in the session
+        if ($files = parent::getValue()) {
+            $allowed = array();
+            // Files already attached to the field are allowed
+            foreach ($this->field->getFiles() as $F) {
+                // FIXME: This will need special porting in v1.10
+                $allowed[$F['id']] = 1;
+            }
+            // New files uploaded in this session are allowed
+            if (isset($_SESSION[':uploadedFiles'])) {
+                $allowed += $_SESSION[':uploadedFiles'];
+            }
+            foreach ($files as $i=>$F) {
+                if (!isset($allowed[$F])) {
+                    unset($files[$i]);
+                }
+            }
+        }
+        return $files;
     }
 }