Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-8672

No file size limit in getimagesize() and remote upload

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Major Major
    • 3.2.0-a1
    • 3.0.5
    • Other
    • None
    • PHP Environment: 5.2.9
      Database:

      phpBB uses getimagesize() to get image dimensions when setting an off-site avatar or when using [img] if image size limits are enabled.

      If you set http://noc.gts.pl/100mb.gts?.gif as an avatar, the server will download a huge file.

      It is possible to limit the size:

      function getimagesize_limit($url, $limit)
      {
       global $phpbb_root_path;
       $tmpfilename = tempnam($phpbb_root_path . 'store/', unique_id() . '-');
        $fp = fopen($url, 'r');
       if (!$fp) return false; 
       $tmpfile = fopen($tmpfilename, 'w');
        $size = 0;
       while (!feof($fp) && $size<$limit)
       {
        $content = fread($fp, 8192);
        $size += 8192;  fwrite($tmpfile, $content);
       }
        fclose($fp);
       fclose($tmpfile);
        $is = getimagesize($tmpfilename);
       unlink($tmpfilename);
       return $is;
      }
       

      The size of remote upload should also be limited. The function uses fsockopen, so it's very easy to add a size limit.

            Marc Marc
            michkol michkol [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: