Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-15582

When uploading a wrongly dimensioned avatar, the previous one is deleted, leaving a 404 error

    Details

      Description

      When an user tries to upload a wrongly dimensioned avatar (= its dimension are outside min/max width/height ranged), phpBB still delete the previous avatar file (in /images/avatars/upload).

      Moreover, phpBB doesn't delete the record in the database (phpbb_users), resulting a 404 error image. Most of the time, the affected user won't see it because its browser cached the file, but the other users will see a 404 error instead of its avatar. 

      Step to reproduces from a fresh phpBB installation: upload a correct avatar (90x90 px), then a wrong one with the same extension (95x95px for example): the avatar will be deleted from the disk. You need to clear the browser cache to see the 404 error, as the browser will display the cached image by default.

       

      I carefully read and tested the phpbb/avatar/driver/upload.php file, and it looks that :

      – If the file size is wrong, $file->error (line 170) isn't empty and the code quits (line 174) without overriding the existing avatar;

      – But the dimensions are tested "too late" (during $file->move_file, line 227), so the old avatar is overridden (if the extensions are the same); then, the file is removed line 234. The database isn't updated (there is still a record of an avatar).

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              Tan Phi Tan Phi [X] (Inactive)
            • Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: