Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-9694

Calling download/file.php with empty avatar parameter can throw an E_NOTICE message

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.7-PL1
    • Fix Version/s: 3.0.8-RC1
    • Component/s: Other
    • Labels:
      None

      Description

      Calling download/file.php with an empty avatar parameter can result in an E_NOTICE message containing the full path to the phpBB installation.

      This is the case when the error_reporting setting (e.g. from php.ini) contains E_NOTICE.
      The notice is trown in line

      if ($filename[0] === 'g')

      because the $filename string doesn't have an offset 0 because it's an empty string.

      This has been reported by evilzone.org

        Attachments

          Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. PHPBB3-9699 Submitting no avatar id causes a warning

          • Major - Major loss of function.
          • Closed

            Activity

              People

              Assignee:
              bantu Andreas Fischer
              Reporter:
              bantu Andreas Fischer
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: