What do we have to check when uploading an avatar / image ?

  • Thread starter Thread starter account8226
  • Start date Start date
A

account8226

Guest
Hello,

I'm making an addon where anyone can upload a custom logo for their page.

I'm correctly uploading the file, but I am afraid to forgot something.

Actually, I'm checking the following :
  • if (!$logo->isImage())
  • if (!in_array($imageType, array(IMAGETYPE_GIF, IMAGETYPE_JPEG, IMAGETYPE_PNG))
Anything else that could check to improve security ?

Regards.
 
Ok, after spending few hours onto this, I just would like to check the image size (not bigger than 1MB).

Any ideas ?
 
Have a look at XenForo_ControllerPublic_Account::actionAvatarUpload

and then look at $avatarModel->uploadAvatar (or XenForo_Model_Avatar::uploadAvatar )

Since the core already does this, you can easily use a similar functionality to the core.

You can see that the model checks:
$largestDimension = $this->getSizeFromCode('l');
$upload->isValid()

and
XenForo_Upload::isValid()

checks quite a few things:

Code:
protected function _checkForErrors()
{
$this->_checkImageState();
 
if ($this->_allowedExtensions && !in_array($this->_extension, $this->_allowedExtensions))
{
$this->_errors['extension'] = new XenForo_Phrase('uploaded_file_does_not_have_an_allowed_extension');
}
 
 
If in doubt, look at core functionality that does what you want to do, then work backwards through the code to figure out how to do it using the same methods as the core
if ($this->_tempFile && $this->_maxFileSize && filesize($this->_tempFile) > $this->_maxFileSize)
{
$this->_errors['fileSize'] = new XenForo_Phrase('uploaded_file_is_too_large');
}
 
if (!$this->_tempFile)
{
$this->_errors['fileSize'] = new XenForo_Phrase('uploaded_file_is_too_large_for_server_to_process');
}
 
$this->_errorsChecked = true;
}

If in doubt, look for core functionality that does a similar thing to what you want to do, then work backwards through the code, so that you can use the core methods for doing what you want to do
 
Have a look at XenForo_ControllerPublic_Account::actionAvatarUpload

and then look at $avatarModel->uploadAvatar (or XenForo_Model_Avatar::uploadAvatar )

Since the core already does this, you can easily use a similar functionality to the core.

You can see that the model checks:
$largestDimension = $this->getSizeFromCode('l');
$upload->isValid()

and
XenForo_Upload::isValid()

checks quite a few things:

Code:
protected function _checkForErrors()
{
$this->_checkImageState();
 
if ($this->_allowedExtensions && !in_array($this->_extension, $this->_allowedExtensions))
{
$this->_errors['extension'] = new XenForo_Phrase('uploaded_file_does_not_have_an_allowed_extension');
}
 
 
If in doubt, look at core functionality that does what you want to do, then work backwards through the code to figure out how to do it using the same methods as the core
if ($this->_tempFile && $this->_maxFileSize && filesize($this->_tempFile) > $this->_maxFileSize)
{
$this->_errors['fileSize'] = new XenForo_Phrase('uploaded_file_is_too_large');
}
 
if (!$this->_tempFile)
{
$this->_errors['fileSize'] = new XenForo_Phrase('uploaded_file_is_too_large_for_server_to_process');
}
 
$this->_errorsChecked = true;
}

If in doubt, look for core functionality that does a similar thing to what you want to do, then work backwards through the code, so that you can use the core methods for doing what you want to do

Great thanks for the reply, that's what I've done and I used that maxFileSize method, it's doing the work ;)
 
Back
Top Bottom