[PHPBB3-9694] Calling download/file.php with empty avatar parameter can throw an E_NOTICE message - phpBB Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 3.0.7-PL1
Fix Version/s: 3.0.8-RC1
Component/s: Other
Labels:
None

Fix URL:
http://github.com/bantu/phpbb3/compare/ticket/9694

Description

Calling download/file.php with an empty avatar parameter can result in an E_NOTICE message containing the full path to the phpBB installation.

This is the case when the error_reporting setting (e.g. from php.ini) contains E_NOTICE.
The notice is trown in line

if ($filename[0] === 'g')

because the $filename string doesn't have an offset 0 because it's an empty string.

This has been reported by evilzone.org

Attachments

Issue Links

is duplicated by

PHPBB3-9699 Submitting no avatar id causes a warning

Closed

Activity

People

Assignee:: Andreas Fischer [X] (Inactive)

Reporter:: Andreas Fischer [X] (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 01/Jul/10 10:07 PM

Updated:: 22/Jan/17 4:00 PM

Resolved:: 01/Jul/10 10:39 PM