From 3eb161472e5b2f13cda916c88479fbe35132a69c Mon Sep 17 00:00:00 2001
From: JediKev <kevin@enhancesoft.com>
Date: Mon, 6 Nov 2017 14:37:26 -0600
Subject: [PATCH] issue: File Upload Bypass
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This addresses an issue where someone can bypass the file restrictions on
the file upload field in the Client Portal. This adds the allowed
extensions and file types to the field options so that User’s cannot
upload anything other than the allowed file types.
---
 include/ajax.forms.php  | 8 +++++++-
 include/class.forms.php | 2 +-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/include/ajax.forms.php b/include/ajax.forms.php
index 70c57e15b..41506c872 100644
--- a/include/ajax.forms.php
+++ b/include/ajax.forms.php
@@ -381,9 +381,15 @@ class DynamicFormsAjaxAPI extends AjaxController {
     }
 
     function attach() {
+        global $thisstaff;
+
+        $config = DynamicFormField::objects()
+            ->filter(array('type__contains'=>'thread'))
+            ->first()->getConfiguration();
         $field = new FileUploadField();
+        $field->_config = $config;
         return JsonDataEncoder::encode(
-            array('id'=>$field->ajaxUpload())
+            array('id'=>$field->ajaxUpload($thisstaff ? true : false))
         );
     }
 
diff --git a/include/class.forms.php b/include/class.forms.php
index c097dd995..062bcaea5 100644
--- a/include/class.forms.php
+++ b/include/class.forms.php
@@ -2837,7 +2837,7 @@ class FileUploadField extends FormField {
 
         // Check MIME type - file ext. shouldn't be solely trusted.
         if ($type && $config['__mimetypes']
-                && in_array($type, $config['__mimetypes']))
+                && in_array($type, $config['__mimetypes'], true))
             return true;
 
         // Return true if all file types are allowed (.*)
-- 
GitLab