Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-8672

No file size limit in getimagesize() and remote upload

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Major Major
    • 3.2.0-a1
    • 3.0.5
    • Other
    • None
    • PHP Environment: 5.2.9
      Database:

      phpBB uses getimagesize() to get image dimensions when setting an off-site avatar or when using [img] if image size limits are enabled.

      If you set http://noc.gts.pl/100mb.gts?.gif as an avatar, the server will download a huge file.

      It is possible to limit the size:

      function getimagesize_limit($url, $limit)
      		 
      {
      		 
       global $phpbb_root_path;
      		 
       $tmpfilename = tempnam($phpbb_root_path . 'store/', unique_id() . '-');
      		 
        $fp = fopen($url, 'r');
      		 
       if (!$fp) return false; 
      		 
       $tmpfile = fopen($tmpfilename, 'w');
      		 
        $size = 0;
      		 
       while (!feof($fp) && $size<$limit)
      		 
       {
      		 
        $content = fread($fp, 8192);
      		 
        $size += 8192;  fwrite($tmpfile, $content);
      		 
       }
      		 
        fclose($fp);
      		 
       fclose($tmpfile);
      		 
        $is = getimagesize($tmpfilename);
      		 
       unlink($tmpfilename);
      		 
       return $is;
      		 
      }
      		 
       

      The size of remote upload should also be limited. The function uses fsockopen, so it's very easy to add a size limit.

        1.
        		 Remote avatar upload does not check the filesize before and during transfer. Sub-task Unverified Fix Andreas Fischer [X] (Inactive)

            Marc Marc
            michkol michkol [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: