--- before_compose.php	2018-03-15 14:46:42.000000000 +0200
+++ after_compose.php	2018-03-15 14:46:38.000000000 +0200
@@ -147,6 +147,62 @@
 
 /* --------------------- Specific Functions ------------------------------ */
 
+/*
+Validate the user input 'attachments'.
+If the input is ok, don't do anything.
+If the attachment's file name is in an unexpected format, empty the attachments.
+*/
+function validateAttachments() {
+	
+	global $username, $attachment_dir, $attachments;
+	
+	// no attachments - nothing to validate
+	if (empty($attachments)) 
+	{
+		return;
+	}
+	
+	// get the Messages array
+	$attach_arr = unserialize($attachments);
+	
+	if (empty($attach_arr) || !is_array($attach_arr))
+	{
+		return;
+	}
+	
+	$hashed_attachment_dir = realpath(getHashedDir($username, $attachment_dir));
+	
+	/*
+	For each attachment (of type Message), verify:
+	1. That after calling realpath(), we are in the attachment directory.
+	2. That the file name is 32 characters long (a fixed length used for attachments).
+	3. That the file has no extension.
+	
+	Notes: The attachment file name is a random 32-long string.
+	       The attachments directory contains other types of files as well, 
+           but they either have an exention or are not 32-characters long.		   
+	*/
+	foreach ($attach_arr as $attach_msg_obj)
+	{
+		$received_file_name = $attach_msg_obj->att_local_name;	
+		$full_path = realpath($hashed_attachment_dir . '/' . $received_file_name);
+
+		$path_parts = pathinfo($full_path);
+		$file_name = $path_parts['basename'];
+
+		if ((substr($full_path, 0, strlen($hashed_attachment_dir)) != $hashed_attachment_dir) or
+			(strlen($file_name) != 32) or
+			($path_parts['extension'] != ""))
+		{
+			$attachments = '';
+			return;
+		}			
+	}
+
+	return;
+}
+
+
 function replyAllString($header) {
     global $include_self_reply_all, $username, $data_dir;
     $excl_ar = array();
@@ -287,6 +343,8 @@
 }
 /* ----------------------------------------------------------------------- */
 
+validateAttachments();
+
 /*
  * If the session is expired during a post this restores the compose session
  * vars.
@@ -1745,4 +1803,3 @@
     }
     return $succes;
 }
-