Details
-
Type:
Bug
-
Status: Unverified Fix
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 3.0.11, 3.1.0-dev
-
Fix Version/s: 3.1.0-a2
-
Component/s: ACP, User Control Panel (UCP), Viewing posts
-
Labels:None
-
GitHub Pull Request URL:
Description
The remote avatar should throw an error when an incorrect image link is supplied, i.e. something like this link to a 404 page on phpbb.com:
https://www.phpbb.com/avatar/55502f40dc8b7c769880b10874abc9d0.jpg
Instead, the avatar system thinks that a proper image has been supplied and updates the user's avatar data to point to this incorrect link. The "image" will not be loaded, however, this leaves us with a broken link to an image that should never happen in the first place.
Activity
<nickvergessen> you can upload an image
|
<nickvergessen> set it in the ucp
|
<nickvergessen> and then replace it with a different file
|
<nickvergessen> so nothing we can do much about
|
<Marc> I said it's not a XSS attack vector :P
|
<Marc> but we should check if that is an actual image when submitting the form
|
<nickvergessen> its useless
|
<nickvergessen> because it gives a fake feeling of scurity
|
<nickvergessen> also you can not use an image that you are going to upload
|
<nickvergessen> or are currently uploading
|
<nickvergessen> or from which the server is currently unavailable
|
This is not about security, this is about telling people that their specified URL is wrong. This will allow them to correct it.
This ticket will require different patches for both develop and develop-olympus.