Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-9694

Calling download/file.php with empty avatar parameter can throw an E_NOTICE message

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 3.0.7-PL1
    • 3.0.8-RC1
    • Other
    • None

    Description

      Calling download/file.php with an empty avatar parameter can result in an E_NOTICE message containing the full path to the phpBB installation.

      This is the case when the error_reporting setting (e.g. from php.ini) contains E_NOTICE.
      The notice is trown in line

      if ($filename[0] === 'g')
      

      because the $filename string doesn't have an offset 0 because it's an empty string.

      This has been reported by evilzone.org

      Attachments

        Issue Links

          Activity

            People

              bantu Andreas Fischer
              bantu Andreas Fischer
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: