From e3c9e0f00faccbf0942ebf75f3873dd61872694a Mon Sep 17 00:00:00 2001
From: Peter Rotich <peter@osticket.com>
Date: Tue, 26 Jan 2016 03:23:27 +0000
Subject: [PATCH] Always force server-side attachments validation

osTicket supports filtering allowable files on the client-side via JS as
well as server-side on upload.

Ajax based upload skipped server-side validation with the assumption that
the client already validated the file upload. For most cases this is a valid
assumption (ajax only works if JS is enabled) but fails to account for cases
where HTTP requests is intercepted and changed on transit or the request is
posted directly to the ajax interface.

This commit forces server-side file upload validation.
---
 include/ajax.forms.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/ajax.forms.php b/include/ajax.forms.php
index e53b91348..ca33e246c 100644
--- a/include/ajax.forms.php
+++ b/include/ajax.forms.php
@@ -113,7 +113,7 @@ class DynamicFormsAjaxAPI extends AjaxController {
     function attach() {
         $field = new FileUploadField();
         return JsonDataEncoder::encode(
-            array('id'=>$field->ajaxUpload(true))
+            array('id'=>$field->ajaxUpload())
         );
     }
 }
-- 
GitLab