[PHPBB3-11354] Remote upload of avatars fails if the avatar image is supplied with a service file, e.g. download.php - phpBB Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Minor
Resolution: Won't Fix
Affects Version/s: 3.0.11, 3.1.0-dev
Fix Version/s: 3.1.12-RC1
Component/s: ACP, User Control Panel (UCP)
Labels:
None

Description

While uploading the file the file extension is checked against a limited list of 4 extensions (gif, jpg, jpeg, png). If the file is served with a script like a php file the upload will fail. The image should be checked instead of the link itself.
Also take a look at these comments regarding this issue:
https://github.com/phpbb/phpbb3/pull/1100#issuecomment-13216135
https://github.com/phpbb/phpbb3/pull/1100#issuecomment-13218053

Attachments

Issue Links

depends on

PHPBB3-10018 Refactor Avatars to support custom modules

Unverified Fix

is duplicated by

PHPBB3-13677 Offsite avatar must end in .jpg etc.

Closed

Activity

People

Assignee:: CHItA

Reporter:: Marc

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 13/Feb/13 12:12 AM

Updated:: 09/Sep/17 2:00 PM

Resolved:: 09/Sep/17 2:00 PM