Convert the data required for attachments into a simple array and then recreate the object array on decode.
The fix for CVE-2018-8741 looks incomplete because "attachments" is deserialized in two places but the filenames are only checked in one of them. This check is now made every time "attachments" is decoded.
Convert the data required for attachments into a simple array and then recreate the object array on decode.
The fix for CVE-2018-8741 looks incomplete because "attachments" is deserialized in two places but the filenames are only checked in one of them. This check is now made every time "attachments" is decoded.