2014-11-02, 12:22 AM
Old code from 1.6.15:
New code from 1.8:
As you can see we're checking the extension now against the list of allowed attachment types. This leads to two problems:
- If you don't allow any images in your board the upload avatar function is useless and a short notice should be shown
- The error message still says "An uploaded avatar must be in GIF, JPEG, or PNG format."
So either the error message should be updated or the code needs some changes.
// Check we have a valid extension
$ext = get_extension(my_strtolower($avatar['name']));
if(!preg_match("#^(gif|jpg|jpeg|jpe|bmp|png)$#i", $ext))
{
$ret['error'] = $lang->error_avatartype;
return $ret;
}
New code from 1.8:
// Check we have a valid extension
// This is attached to the attachment types allowed to be uploaded (set in the ACP)
$valid_extensions = array();
$extensions = $cache->read("attachtypes");
foreach($extensions as $ext => $type)
{
if(substr($type['mimetype'], 0, 5) == 'image')
{
$valid_extensions[$ext] = 1;
}
}
$ext = get_extension(my_strtolower($avatar['name']));
if(!isset($valid_extensions[$ext]))
{
$ret['error'] = $lang->error_avatartype;
return $ret;
}
As you can see we're checking the extension now against the list of allowed attachment types. This leads to two problems:
- If you don't allow any images in your board the upload avatar function is useless and a short notice should be shown
- The error message still says "An uploaded avatar must be in GIF, JPEG, or PNG format."
So either the error message should be updated or the code needs some changes.