Details
-
Bug
-
Status: Open (View Workflow)
-
Minor
-
Resolution: Unresolved
-
3.2.3
-
None
-
None
-
None
Description
In phpbb\avatar\driver\local, $img['file'] and $row['avatar'] are compared to determine whether or not a given local avatar is the current user’s avatar. $img['file'] is partially URL encoded and $row['avatar'] is not, so these comparisons fail whenever the avatar’s filename or path contains characters that are not in the range [0-9a-fA-F_.~-].