Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-9694

Calling download/file.php with empty avatar parameter can throw an E_NOTICE message

    Details

    • Type: Bug
    • Status: Unverified Fix
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.7-PL1
    • Fix Version/s: 3.0.8-RC1
    • Component/s: Other
    • Labels:
      None

      Description

      Calling download/file.php with an empty avatar parameter can result in an E_NOTICE message containing the full path to the phpBB installation.

      This is the case when the error_reporting setting (e.g. from php.ini) contains E_NOTICE.
      The notice is trown in line

      if ($filename[0] === 'g')
      

      because the $filename string doesn't have an offset 0 because it's an empty string.

      This has been reported by evilzone.org

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                bantu Andreas Fischer
                Reporter:
                bantu Andreas Fischer
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: