Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-11534

Remote avatar does not properly check if remote file is an image

    Details

      Description

      The remote avatar should throw an error when an incorrect image link is supplied, i.e. something like this link to a 404 page on phpbb.com:
      https://www.phpbb.com/avatar/55502f40dc8b7c769880b10874abc9d0.jpg

      Instead, the avatar system thinks that a proper image has been supplied and updates the user's avatar data to point to this incorrect link. The "image" will not be loaded, however, this leaves us with a broken link to an image that should never happen in the first place.

        Activity

        Hide
        Marc Marc added a comment -

        This ticket will require different patches for both develop and develop-olympus.

        Show
        Marc Marc added a comment - This ticket will require different patches for both develop and develop-olympus.
        Hide
        nickvergessen Joas Schilling added a comment -

        <nickvergessen> you can upload an image
        <nickvergessen> set it in the ucp
        <nickvergessen> and then replace it with a different file
        <nickvergessen> so nothing we can do much about
        <Marc> I said it's not a XSS attack vector :P
        <Marc> but we should check if that is an actual image when submitting the form
        <nickvergessen> its useless
        <nickvergessen> because it gives a fake feeling of scurity
        <nickvergessen> also you can not use an image that you are going to upload
        <nickvergessen> or are currently uploading
        <nickvergessen> or from which the server is currently unavailable

        Show
        nickvergessen Joas Schilling added a comment - <nickvergessen> you can upload an image <nickvergessen> set it in the ucp <nickvergessen> and then replace it with a different file <nickvergessen> so nothing we can do much about <Marc> I said it's not a XSS attack vector :P <Marc> but we should check if that is an actual image when submitting the form <nickvergessen> its useless <nickvergessen> because it gives a fake feeling of scurity <nickvergessen> also you can not use an image that you are going to upload <nickvergessen> or are currently uploading <nickvergessen> or from which the server is currently unavailable
        Hide
        bantu Andreas Fischer added a comment -

        This is not about security, this is about telling people that their specified URL is wrong. This will allow them to correct it.

        Show
        bantu Andreas Fischer added a comment - This is not about security, this is about telling people that their specified URL is wrong. This will allow them to correct it.

          People

          • Assignee:
            EXreaction EXreaction [X] (Inactive)
            Reporter:
            Marc Marc
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development