From 231a58e6564fc927a2f38c9a45871df43da14420 Mon Sep 17 00:00:00 2001
From: Janusz Dobrowolski <janusz@frontaccounting.eu>
Date: Sun, 27 Sep 2020 16:18:47 +0200
Subject: [PATCH] [0005198] Attach Documents: constrained attachemnt file types
 to avoid XSS using javascript in SVG. Thanks to Bobby Lin.

---
 admin/attachments.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/admin/attachments.php b/admin/attachments.php
index d3f491ac..7e6ba955 100644
--- a/admin/attachments.php
+++ b/admin/attachments.php
@@ -83,7 +83,10 @@ if ($Mode == 'ADD_ITEM' || $Mode == 'UPDATE_ITEM')
 	$filename = basename($_FILES['filename']['name']);
 	if (!transaction_exists($_POST['filterType'], $_POST['trans_no']))
 		display_error(_("Selected transaction does not exists."));
-	elseif ($Mode == 'ADD_ITEM' && !isset($_FILES['filename']))
+	elseif ($Mode == 'ADD_ITEM' && !in_array(strtoupper(substr($filename, strlen($filename) - 3)), array('JPG','PNG','GIF', 'PDF', 'DOC', 'ODT')))
+	{
+		display_error(_('Only graphics,pdf,doc and odt files are supported.'));
+	} elseif ($Mode == 'ADD_ITEM' && !isset($_FILES['filename']))
 		display_error(_("Select attachment file."));
 	elseif ($Mode == 'ADD_ITEM' && ($_FILES['filename']['error'] > 0)) {
     	if ($_FILES['filename']['error'] == UPLOAD_ERR_INI_SIZE) 
-- 
2.30.2