From b6ebb10156339a7432a1d1b5d1081cb4fd432db3 Mon Sep 17 00:00:00 2001
From: Prasad <prasad@vtiger.com>
Date: Mon, 22 Apr 2024 15:03:49 +0530
Subject: [PATCH] Ensure file-attachment is restricted to storage dir.

---
 modules/Emails/views/MassSaveAjax.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/modules/Emails/views/MassSaveAjax.php b/modules/Emails/views/MassSaveAjax.php
index 0bc9a8b4b..3d7d2a6e3 100644
--- a/modules/Emails/views/MassSaveAjax.php
+++ b/modules/Emails/views/MassSaveAjax.php
@@ -221,6 +221,11 @@ class Emails_MassSaveAjax_View extends Vtiger_Footer_View {
 					$newFilePath = $upload_file_path . $current_id . "_" . $encryptFileName;
 
 					Vtiger_Utils::checkFileAccess($oldFilePath);
+
+					//restrict attachment only from storage directory
+					if (strpos($oldFilePath, "storage/") !== 0) {
+                                                throw new Exception("Attachment access denied");
+                                        }
 					copy($oldFilePath, $newFilePath);
 
 					$sql1 = "insert into vtiger_crmentity (crmid,smcreatorid,smownerid,setype,description,createdtime,modifiedtime) values(?, ?, ?, ?, ?, ?, ?)";
-- 
GitLab