Add att.full_clean() before saving

Fix issue https://github.com/django-helpdesk/django-helpdesk/issues/983
Also, fix bug stored XSS disclosure: https://huntr.dev/bounties/4d7a5fdd-b2de-467a-ade0-3f2fb386638e/
This commit is contained in:
lethanhphuc 2021-11-18 10:42:02 +07:00 committed by GitHub
parent 2c7065e0c4
commit 04483bdac3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -145,6 +145,7 @@ def process_attachments(followup, attached_files):
'application/octet-stream',
size=attached.size,
)
att.full_clean()
att.save()
if attached.size < max_email_attachment_size: