Always force server-side attachments validation

osTicket supports filtering allowable files on the client-side via JS as well as server-side on upload. Ajax based upload skipped server-side validation with the assumption that the client already validated the file upload. For most cases this is a valid assumption (ajax only works if JS is enabled) but fails to account for cases where HTTP requests is intercepted and changed on transit or the request is posted directly to the ajax interface. This commit forces server-side file upload validation.

Always force server-side attachments validation
osTicket supports filtering allowable files on the client-side via JS as well as server-side on upload. Ajax based upload skipped server-side validation with the assumption that the client already validated the file upload. For most cases this is a valid assumption (ajax only works if JS is enabled) but fails to account for cases where HTTP requests is intercepted and changed on transit or the request is posted directly to the ajax interface. This commit forces server-side file upload validation.
fdad9239 · Peter Rotich · a4668e2e · fdad9239
Commit fdad9239 authored 9 years ago by Peter Rotich
--- a/include/ajax.forms.php
+++ b/include/ajax.forms.php
@@ -358,7 +358,7 @@ class DynamicFormsAjaxAPI extends AjaxController {
    function attach() {
        $field = new FileUploadField();
        return JsonDataEncoder::encode(
-            array('id'=>$field->ajaxUpload(true))
+            array('id'=>$field->ajaxUpload())
        );
    }