When choosing as avatar a URL to link from (not to upload from)

• its filesize is not checked against the max avatar filesize setting (thus someone can easily link a 50 MiB file), and
• when supplying picture dimensions the actual picture dimensions are not checked either (thus someone can easily link a 8000x6000 px file).

I understand that the server might not be able to detect both (dimensions and filesize) for various reasons. However, the current code (i.e. function avatar_remote in /includes/functions_user.php) is not trying enough to do so.

Mentioned and demonstrated in https://www.phpbb.com/community/viewtopic.php?p=13331989#p13331989