[PHPBB3-10038] download/file.php uses $_GET value instead of function request_var() - phpBB Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 3.0.8
Fix Version/s: 3.0.9-RC1
Component/s: Viewing posts
Labels:
None

Fix URL:
https://github.com/phpbb/phpbb3/pull/60

Description

The code in download/file.php

$filename = $_GET['avatar'];

should be adjusted to use function request_var() to get $filename value.
Direct use of $_GET is known as insecure option.

Attachments

Activity

People

Assignee:: Andreas Fischer

Reporter:: rxu

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 12/Feb/11 5:19 PM

Updated:: 22/Jan/17 4:00 PM

Resolved:: 12/Feb/11 6:23 PM