From 8b640648669d0178b3798509bdaec8a0679329c6 Mon Sep 17 00:00:00 2001
From: Prasad <prasad@vtiger.com>
Date: Mon, 22 Apr 2024 13:24:53 +0530
Subject: [PATCH] Ensure file-attachment sent is within allowed dir

---
 modules/Emails/views/MassSaveAjax.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/Emails/views/MassSaveAjax.php b/modules/Emails/views/MassSaveAjax.php
index db74b8a1f..0bc9a8b4b 100644
--- a/modules/Emails/views/MassSaveAjax.php
+++ b/modules/Emails/views/MassSaveAjax.php
@@ -220,6 +220,7 @@ class Emails_MassSaveAjax_View extends Vtiger_Footer_View {
 					$encryptFileName = Vtiger_Util_Helper::getEncryptedFileName($binFile);
 					$newFilePath = $upload_file_path . $current_id . "_" . $encryptFileName;
 
+					Vtiger_Utils::checkFileAccess($oldFilePath);
 					copy($oldFilePath, $newFilePath);
 
 					$sql1 = "insert into vtiger_crmentity (crmid,smcreatorid,smownerid,setype,description,createdtime,modifiedtime) values(?, ?, ?, ?, ?, ?, ?)";
-- 
GitLab