Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-8672

No file size limit in getimagesize() and remote upload

    Details

    • Type: Improvement
    • Status: Unverified Fix
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.5
    • Fix Version/s: 3.2.0-a1
    • Component/s: Other
    • Labels:
      None
    • Environment:
      PHP Environment: 5.2.9
      Database:

      Description

      phpBB uses getimagesize() to get image dimensions when setting an off-site avatar or when using [img] if image size limits are enabled.

      If you set http://noc.gts.pl/100mb.gts?.gif as an avatar, the server will download a huge file.

      It is possible to limit the size:

      function getimagesize_limit($url, $limit)
      {
       global $phpbb_root_path;
       $tmpfilename = tempnam($phpbb_root_path . 'store/', unique_id() . '-');
        $fp = fopen($url, 'r');
       if (!$fp) return false; 
       $tmpfile = fopen($tmpfilename, 'w');
        $size = 0;
       while (!feof($fp) && $size<$limit)
       {
        $content = fread($fp, 8192);
        $size += 8192;  fwrite($tmpfile, $content);
       }
        fclose($fp);
       fclose($tmpfile);
        $is = getimagesize($tmpfilename);
       unlink($tmpfilename);
       return $is;
      }
       

      The size of remote upload should also be limited. The function uses fsockopen, so it's very easy to add a size limit.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Marc Marc
                Reporter:
                michkol michkol [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: