Headline
CVE-2022-2128: fix(attachments): file type security fix · polonel/trudesk@fb2ef82
Unrestricted Upload of File with Dangerous Type in GitHub repository polonel/trudesk prior to 1.2.4.
@@ -203,7 +203,12 @@ function mainRoutes (router, middleware, controllers) {
router.get('/tickets/print/:uid’, middleware.redirectToLogin, middleware.loadCommonData, controllers.tickets.print)
router.get('/tickets/:id’, middleware.redirectToLogin, middleware.loadCommonData, controllers.tickets.single)
// router.post('/tickets/postcomment’, middleware.redirectToLogin, controllers.tickets.postcomment);
router.post('/tickets/uploadattachment’, middleware.redirectToLogin, controllers.tickets.uploadAttachment)
router.post(
'/tickets/uploadattachment’,
middleware.redirectToLogin,
middleware.csrfCheck,
controllers.tickets.uploadAttachment
)
router.post('/tickets/uploadmdeimage’, middleware.redirectToLogin, controllers.tickets.uploadImageMDE)
// Messages