From d373b9c290cf6bda2b63fbbd69a04827010a5d97 Mon Sep 17 00:00:00 2001
From: ansuz <ansuz@transitiontech.ca>
Date: Mon, 22 Jun 2020 15:00:34 -0400
Subject: [PATCH] ignore support ticket attachments with hrefs hosted by
 anything other than the local 'file' app

---
 www/support/ui.js | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/www/support/ui.js b/www/support/ui.js
index ce3f09702..454dddcfc 100644
--- a/www/support/ui.js
+++ b/www/support/ui.js
@@ -179,8 +179,6 @@ define([
             }).on('change', function (e) {
                 var files = Util.slice(e.target.files);
                 files.forEach(function (file) {
-                    // XXX validate that the href is hosted on the same instance
-                    // use relative URLs or compare it against a list or allowed domains?
                     var ev = {};
                     ev.callback = function (data) {
                         var x, a;
@@ -321,10 +319,11 @@ define([
 
         var attachments = (content.attachments || []).map(function (obj) {
             if (!obj || !obj.name || !obj.href) { return; }
+            // only support files explicitly beginning with /file/ so that users can't link outside of the instance
+            if (!/^\/file\//.test(obj.href)) { return; }
             var a = h('a', {
                 href: '#'
             }, obj.name);
-            // XXX disallow remote URLs
             $(a).click(function (e) {
                 e.preventDefault();
                 ctx.common.openURL(obj.href);