Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-9694

Calling download/file.php with empty avatar parameter can throw an E_NOTICE message

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • 3.0.8-RC1
    • 3.0.7-PL1
    • Other
    • None

      Calling download/file.php with an empty avatar parameter can result in an E_NOTICE message containing the full path to the phpBB installation.

      This is the case when the error_reporting setting (e.g. from php.ini) contains E_NOTICE.
      The notice is trown in line

      if ($filename[0] === 'g')
      

      because the $filename string doesn't have an offset 0 because it's an empty string.

      This has been reported by evilzone.org

            bantu Andreas Fischer [X] (Inactive)
            bantu Andreas Fischer [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: