From 04483bdac3b5196737516398b5ce0383875a5c60 Mon Sep 17 00:00:00 2001 From: lethanhphuc <31820707+noobpk@users.noreply.github.com> Date: Thu, 18 Nov 2021 10:42:02 +0700 Subject: [PATCH] Add `att.full_clean()` before saving Fix issue https://github.com/django-helpdesk/django-helpdesk/issues/983 Also, fix bug stored XSS disclosure: https://huntr.dev/bounties/4d7a5fdd-b2de-467a-ade0-3f2fb386638e/ --- helpdesk/lib.py | 1 + 1 file changed, 1 insertion(+) diff --git a/helpdesk/lib.py b/helpdesk/lib.py index 07d655c3..da853990 100644 --- a/helpdesk/lib.py +++ b/helpdesk/lib.py @@ -145,6 +145,7 @@ def process_attachments(followup, attached_files): 'application/octet-stream', size=attached.size, ) + att.full_clean() att.save() if attached.size < max_email_attachment_size: