diff options
| author | Andreas Fischer <bantu@phpbb.com> | 2011-02-12 19:12:51 +0100 |
|---|---|---|
| committer | Andreas Fischer <bantu@phpbb.com> | 2011-02-12 19:22:51 +0100 |
| commit | 23d2798b6daeab2afaa605dfaeb49dfb718e306f (patch) | |
| tree | 7370a0d59814706bb8f72a9e96fcf11e8800a22e /phpBB | |
| parent | 0588ba25cb919e3b892d4550e5914f234f37875c (diff) | |
| download | forums-23d2798b6daeab2afaa605dfaeb49dfb718e306f.tar forums-23d2798b6daeab2afaa605dfaeb49dfb718e306f.tar.gz forums-23d2798b6daeab2afaa605dfaeb49dfb718e306f.tar.bz2 forums-23d2798b6daeab2afaa605dfaeb49dfb718e306f.tar.xz forums-23d2798b6daeab2afaa605dfaeb49dfb718e306f.zip | |
[ticket/10038] Use request_var() in the avatar code path of download/file.php
There is no reason not to use request_var() here because it is available anyway
since 3afd2c6948e777fde2f43f00bff1659f2691f4d8.
This change especially prevents submitting an array which might then throw an
error in one of the string functions substr() or strpos() later on.
PHPBB3-10038
Diffstat (limited to 'phpBB')
| -rw-r--r-- | phpBB/download/file.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/phpBB/download/file.php b/phpBB/download/file.php index 5f45b88359..f5a766dd57 100644 --- a/phpBB/download/file.php +++ b/phpBB/download/file.php @@ -64,7 +64,7 @@ if (isset($_GET['avatar'])) $browser = (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : 'msie 6.0'; $config = $cache->obtain_config(); - $filename = $_GET['avatar']; + $filename = request_var('avatar', ''); $avatar_group = false; $exit = false; |