From cb3fdf36332870089ae27173732224b09c7291e1 Mon Sep 17 00:00:00 2001
From: Peter Rotich <peter@osticket.com>
Date: Mon, 26 Oct 2015 06:48:25 +0000
Subject: [PATCH] White-list canned attachments

Add canned attachments to allowed files list when a canned response is used.
---
 include/class.canned.php | 4 ++++
 include/class.forms.php  | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/include/class.canned.php b/include/class.canned.php
index a7154b974..8cea1417b 100644
--- a/include/class.canned.php
+++ b/include/class.canned.php
@@ -117,6 +117,10 @@ class Canned {
                     $resp['response'] = Format::html2text($resp['response'], 90);
                     $resp['files'] += $this->attachments->getInlines();
                 }
+
+                foreach ($resp['files'] as $f)
+                    $_SESSION[':cannedFiles'][$f['file_id']] = 1;
+
                 return Format::json_encode($resp);
                 break;
             case 'html':
diff --git a/include/class.forms.php b/include/class.forms.php
index 91cf301fa..770736e84 100644
--- a/include/class.forms.php
+++ b/include/class.forms.php
@@ -2223,6 +2223,11 @@ class FileUploadWidget extends Widget {
             if (isset($_SESSION[':uploadedFiles'])) {
                 $allowed += $_SESSION[':uploadedFiles'];
             }
+
+            // Canned attachments initiated by this session
+            if (isset($_SESSION[':cannedFiles']))
+               $allowed += $_SESSION[':cannedFiles'];
+
             foreach ($files as $i=>$F) {
                 if (!isset($allowed[$F])) {
                     unset($files[$i]);
-- 
GitLab