From b712307782b5c4dc02ec326749e1dda5dfebcb6f Mon Sep 17 00:00:00 2001
From: Alexey Skobkin <x@skobkin.ru>
Date: Fri, 6 Jan 2017 00:13:50 +0300
Subject: [PATCH] Fixing @ in POST parameters which could cause sending file
 from filesystem as POST data.

---
 src/Skobkin/Bundle/PointToolsBundle/Service/AbstractApi.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/Skobkin/Bundle/PointToolsBundle/Service/AbstractApi.php b/src/Skobkin/Bundle/PointToolsBundle/Service/AbstractApi.php
index cec0234..62a0019 100644
--- a/src/Skobkin/Bundle/PointToolsBundle/Service/AbstractApi.php
+++ b/src/Skobkin/Bundle/PointToolsBundle/Service/AbstractApi.php
@@ -79,6 +79,11 @@ class AbstractApi
      */
     public function sendPostRequest($path, array $parameters = [])
     {
+        // Cleaning POST parameters from potential @file injections
+        array_walk($parameters, function (string &$value, string $key) {
+            str_replace('@', '', $value);
+        });
+
         /** @var GuzzleRequest $request */
         $request = $this->client->post($path, null, $parameters);