From 16e2ad99daf776b54d8de9c2b14350603d204407 Mon Sep 17 00:00:00 2001
From: Roy Johnson <roy.l.johnson@gmail.com>
Date: Sat, 16 Dec 2006 22:16:30 +0000
Subject: [PATCH] fixed a phishing exploit.  html and htm files are now renamed
 to have a .txt extenstion appended to them.

---
 docs/changelog/7.x.x.txt | 1 +
 lib/WebGUI/Storage.pm    | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/changelog/7.x.x.txt b/docs/changelog/7.x.x.txt
index d71dab107..a96aca173 100644
--- a/docs/changelog/7.x.x.txt
+++ b/docs/changelog/7.x.x.txt
@@ -8,6 +8,7 @@
    Existing tests using that directory have been modified to use the new
    method instead of finding the path manually.
  - fix: Avatar in Thread & Posts of CS
+ - fix: CS Phishing Exploit.
 
 7.3.1
  - Fixed a problem with IE and resizable text areas that caused IE to crash
diff --git a/lib/WebGUI/Storage.pm b/lib/WebGUI/Storage.pm
index 862af682a..32f3be81d 100644
--- a/lib/WebGUI/Storage.pm
+++ b/lib/WebGUI/Storage.pm
@@ -208,7 +208,7 @@ sub addFileFromFormPost {
 		next if ($upload->size > 1024 * $self->session->setting->get("maxAttachmentSize"));
 		if ($tempFilename =~ /([^\/\\]+)$/) { $tempFilename = $1; }
 		my $type = $self->getFileExtension($tempFilename);
-		if (isIn($type, qw(pl perl sh cgi php asp))) { # make us safe from malicious uploads
+		if (isIn($type, qw(pl perl sh cgi php asp html htm))) { # make us safe from malicious uploads
 			$tempFilename =~ s/\./\_/g;
 			$tempFilename .= ".txt";
 		}