From fdad9239600b92bdf53144ee0ec4a29969bf2570 Mon Sep 17 00:00:00 2001
From: Peter Rotich <peter@osticket.com>
Date: Tue, 26 Jan 2016 03:23:27 +0000
Subject: [PATCH] Always force server-side attachments validation

osTicket supports filtering allowable files on the client-side via JS as
well as server-side on upload.

Ajax based upload skipped server-side validation with the assumption that
the client already validated the file upload. For most cases this is a valid
assumption (ajax only works if JS is enabled) but fails to account for cases
where HTTP requests is intercepted and changed on transit or the request is
posted directly to the ajax interface.

This commit forces server-side file upload validation.
---
 include/ajax.forms.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/ajax.forms.php b/include/ajax.forms.php
index 1d4dc1423..f99870a97 100644
--- a/include/ajax.forms.php
+++ b/include/ajax.forms.php
@@ -358,7 +358,7 @@ class DynamicFormsAjaxAPI extends AjaxController {
     function attach() {
         $field = new FileUploadField();
         return JsonDataEncoder::encode(
-            array('id'=>$field->ajaxUpload(true))
+            array('id'=>$field->ajaxUpload())
         );
     }
 
-- 
GitLab