From 9b0b5481fe05b10a254861495280d04721e8d9d1 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 24 Oct 2013 21:03:06 +0200 Subject: [ticket/11534] Check remote avatar content type if possible This should make sure that error pages like 404 or 503 pages are not treated as remote avatar images. PHPBB3-11534 --- phpBB/phpbb/avatar/driver/remote.php | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) (limited to 'phpBB/phpbb/avatar/driver') diff --git a/phpBB/phpbb/avatar/driver/remote.php b/phpBB/phpbb/avatar/driver/remote.php index 1aa638dfe5..a04c6879f3 100644 --- a/phpBB/phpbb/avatar/driver/remote.php +++ b/phpBB/phpbb/avatar/driver/remote.php @@ -125,6 +125,37 @@ class remote extends \phpbb\avatar\driver\driver $types = \fileupload::image_types(); $extension = strtolower(\filespec::get_extension($url)); + // Check if this is actually an image + if ($file_stream = @fopen($url, 'r')) + { + // Timeout after 1 second + stream_set_timeout($file_stream, 1); + $meta = stream_get_meta_data($file_stream); + foreach ($meta['wrapper_data'] as $header) + { + $header = preg_split('/ /', $header, 2); + if (strtr(strtolower(trim($header[0], ':')), '_', '-') === 'content-type') + { + if (strpos($header[1], 'image/') !== 0) + { + $error[] = 'AVATAR_URL_INVALID'; + fclose($file_stream); + return false; + } + else + { + fclose($file_stream); + break; + } + } + } + } + else + { + $error[] = 'AVATAR_URL_INVALID'; + return false; + } + if (!empty($image_data) && (!isset($types[$image_data[2]]) || !in_array($extension, $types[$image_data[2]]))) { if (!isset($types[$image_data[2]])) -- cgit v1.2.1 From 7aa8f6461f1e85cf91931f56b95384e54fec07c2 Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Wed, 30 Oct 2013 13:05:28 +0100 Subject: [task/code-sniffer] Remove the IN_PHPBB check side-effect from class files. PHPBB3-11980 --- phpBB/phpbb/avatar/driver/driver.php | 8 -------- phpBB/phpbb/avatar/driver/driver_interface.php | 8 -------- phpBB/phpbb/avatar/driver/gravatar.php | 8 -------- phpBB/phpbb/avatar/driver/local.php | 8 -------- phpBB/phpbb/avatar/driver/remote.php | 8 -------- phpBB/phpbb/avatar/driver/upload.php | 8 -------- 6 files changed, 48 deletions(-) (limited to 'phpBB/phpbb/avatar/driver') diff --git a/phpBB/phpbb/avatar/driver/driver.php b/phpBB/phpbb/avatar/driver/driver.php index 206df86543..d360614122 100644 --- a/phpBB/phpbb/avatar/driver/driver.php +++ b/phpBB/phpbb/avatar/driver/driver.php @@ -9,14 +9,6 @@ namespace phpbb\avatar\driver; -/** -* @ignore -*/ -if (!defined('IN_PHPBB')) -{ - exit; -} - /** * Base class for avatar drivers * @package phpBB3 diff --git a/phpBB/phpbb/avatar/driver/driver_interface.php b/phpBB/phpbb/avatar/driver/driver_interface.php index d9540c19db..7f049469a2 100644 --- a/phpBB/phpbb/avatar/driver/driver_interface.php +++ b/phpBB/phpbb/avatar/driver/driver_interface.php @@ -9,14 +9,6 @@ namespace phpbb\avatar\driver; -/** -* @ignore -*/ -if (!defined('IN_PHPBB')) -{ - exit; -} - /** * Interface for avatar drivers * @package phpBB3 diff --git a/phpBB/phpbb/avatar/driver/gravatar.php b/phpBB/phpbb/avatar/driver/gravatar.php index 3ad783932e..d64f4da734 100644 --- a/phpBB/phpbb/avatar/driver/gravatar.php +++ b/phpBB/phpbb/avatar/driver/gravatar.php @@ -9,14 +9,6 @@ namespace phpbb\avatar\driver; -/** -* @ignore -*/ -if (!defined('IN_PHPBB')) -{ - exit; -} - /** * Handles avatars hosted at gravatar.com * @package phpBB3 diff --git a/phpBB/phpbb/avatar/driver/local.php b/phpBB/phpbb/avatar/driver/local.php index 0686ffe79a..f6acc6e636 100644 --- a/phpBB/phpbb/avatar/driver/local.php +++ b/phpBB/phpbb/avatar/driver/local.php @@ -9,14 +9,6 @@ namespace phpbb\avatar\driver; -/** -* @ignore -*/ -if (!defined('IN_PHPBB')) -{ - exit; -} - /** * Handles avatars selected from the board gallery * @package phpBB3 diff --git a/phpBB/phpbb/avatar/driver/remote.php b/phpBB/phpbb/avatar/driver/remote.php index 1aa638dfe5..12cbd883f4 100644 --- a/phpBB/phpbb/avatar/driver/remote.php +++ b/phpBB/phpbb/avatar/driver/remote.php @@ -9,14 +9,6 @@ namespace phpbb\avatar\driver; -/** -* @ignore -*/ -if (!defined('IN_PHPBB')) -{ - exit; -} - /** * Handles avatars hosted remotely * @package phpBB3 diff --git a/phpBB/phpbb/avatar/driver/upload.php b/phpBB/phpbb/avatar/driver/upload.php index bda872df7a..822c40af98 100644 --- a/phpBB/phpbb/avatar/driver/upload.php +++ b/phpBB/phpbb/avatar/driver/upload.php @@ -9,14 +9,6 @@ namespace phpbb\avatar\driver; -/** -* @ignore -*/ -if (!defined('IN_PHPBB')) -{ - exit; -} - /** * Handles avatars uploaded to the board * @package phpBB3 -- cgit v1.2.1