files: Verify files attached to a FileUploadField #2618
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes a security issue where, by crafting a special POST request to the client open.php page, an (unauthenticated) user could get a URL link to access to any attachment already uploaded in the system by guessing or brute-forcing the file's ID number.
This patch addresses the issue by registering the uploaded file's ID in the current user's session. When processing the list of file ID's attached to the FileUploadField, the files must already have been attached to the field or have been newly attached in the current session.
Fixes #2615
References:
"Security issue - Download attachments submitted by others"
#2615