Arbitrary Method Invocation

This commit addresses possible Arbitrary Method Invocation via AJAX file upload.

To save some memory osTicket uses callback method to fetch the content of a
file on mail fetch. $file['data'] was overloaded as a callback by simply
checking if the content is callable, resulting in method invocation when
content of the uploaded file is a callable.

The address the issue we're not using locally set callback parameter / method.

include/class.file.php

@@ -388,12 +388,15 @@ class AttachmentFile extends VerySimpleModel {
                 $file['data'] = base64_decode($file['data']);
             }
         }
-        if (isset($file['data'])) {
+
+        if (!isset($file['data']) && isset($file['dataclb'])
+                && is_callable($file['dataclb'])) {
             // Allow a callback function to delay or avoid reading or
             // fetching ihe file contents
-            if (is_callable($file['data']))
-                $file['data'] = $file['data']();
+            $file['data'] = $file['dataclb']();
+        }
 
+        if (isset($file['data'])) {
             list($key, $file['signature'])
                 = self::_getKeyAndHash($file['data']);
             if (!$file['key'])

include/class.mailfetch.php

@@ -831,7 +831,7 @@ class MailFetcher {
                 else {
                     // only fetch the body if necessary
                     $self = $this;
-                    $file['data'] = function() use ($self, $mid, $a) {
+                    $file['dataclb'] = function() use ($self, $mid, $a) {
                         return $self->decode(imap_fetchbody($self->mbox,
                             $mid, $a['index']), $a['encoding']);
                     };