From adff2fb254285e54f899f3a8604e1116cb11573c Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Fri, 12 Jul 2013 14:35:17 -0400
Subject: [ticket/11548] Check upload avatar URL the same way as in phpBB 3.0

The upload avatar URL was checked for its length in phpBB 3.0. Additionally,
starting with the new avatar system in phpBB 3.1, the URL was checked to
prevent improper URLs being submitted. This minor change is needed for proper
testing of the ucp and acp groups pages.

PHPBB3-11548
---
 phpBB/includes/avatar/driver/upload.php | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

(limited to 'phpBB/includes/avatar')

diff --git a/phpBB/includes/avatar/driver/upload.php b/phpBB/includes/avatar/driver/upload.php
index baf51f61c1..685ac4f349 100644
--- a/phpBB/includes/avatar/driver/upload.php
+++ b/phpBB/includes/avatar/driver/upload.php
@@ -77,6 +77,32 @@ class phpbb_avatar_driver_upload extends phpbb_avatar_driver
 		}
 		elseif (!empty($this->config['allow_avatar_remote_upload']) && !empty($url))
 		{
+			if (!preg_match('#^(http|https|ftp)://#i', $url))
+			{
+				$url = 'http://' . $url;
+			}
+
+			if (!function_exists('validate_data'))
+			{
+				require($this->phpbb_root_path . 'includes/functions_user.' . $this->php_ext);
+			}
+
+			$validate_array = validate_data(
+				array(
+					'url' => $url,
+				),
+				array(
+					'url' => array('string', true, 5, 255),
+				)
+			);
+
+			$error = array_merge($error, $validate_array);
+
+			if (!empty($error))
+			{
+				return false;
+			}
+
 			$file = $upload->remote_upload($url);
 		}
 		else
-- 
cgit v1.2.1