• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

What do we have to check when uploading an avatar / image ?

A

account8226

Guest
#1
Hello,

I'm making an addon where anyone can upload a custom logo for their page.

I'm correctly uploading the file, but I am afraid to forgot something.

Actually, I'm checking the following :
  • if (!$logo->isImage())
  • if (!in_array($imageType, array(IMAGETYPE_GIF, IMAGETYPE_JPEG, IMAGETYPE_PNG))
Anything else that could check to improve security ?

Regards.
 
A

account8226

Guest
#2
Ok, after spending few hours onto this, I just would like to check the image size (not bigger than 1MB).

Any ideas ?
 

tenants

Well-known member
#3
Have a look at XenForo_ControllerPublic_Account::actionAvatarUpload

and then look at $avatarModel->uploadAvatar (or XenForo_Model_Avatar::uploadAvatar )

Since the core already does this, you can easily use a similar functionality to the core.

You can see that the model checks:
$largestDimension = $this->getSizeFromCode('l');
$upload->isValid()

and
XenForo_Upload::isValid()

checks quite a few things:

Code:
protected function _checkForErrors()
{
$this->_checkImageState();
 
if ($this->_allowedExtensions && !in_array($this->_extension, $this->_allowedExtensions))
{
$this->_errors['extension'] = new XenForo_Phrase('uploaded_file_does_not_have_an_allowed_extension');
}
 
 
If in doubt, look at core functionality that does what you want to do, then work backwards through the code to figure out how to do it using the same methods as the core
if ($this->_tempFile && $this->_maxFileSize && filesize($this->_tempFile) > $this->_maxFileSize)
{
$this->_errors['fileSize'] = new XenForo_Phrase('uploaded_file_is_too_large');
}
 
if (!$this->_tempFile)
{
$this->_errors['fileSize'] = new XenForo_Phrase('uploaded_file_is_too_large_for_server_to_process');
}
 
$this->_errorsChecked = true;
}
If in doubt, look for core functionality that does a similar thing to what you want to do, then work backwards through the code, so that you can use the core methods for doing what you want to do
 
A

account8226

Guest
#4
Have a look at XenForo_ControllerPublic_Account::actionAvatarUpload

and then look at $avatarModel->uploadAvatar (or XenForo_Model_Avatar::uploadAvatar )

Since the core already does this, you can easily use a similar functionality to the core.

You can see that the model checks:
$largestDimension = $this->getSizeFromCode('l');
$upload->isValid()

and
XenForo_Upload::isValid()

checks quite a few things:

Code:
protected function _checkForErrors()
{
$this->_checkImageState();
 
if ($this->_allowedExtensions && !in_array($this->_extension, $this->_allowedExtensions))
{
$this->_errors['extension'] = new XenForo_Phrase('uploaded_file_does_not_have_an_allowed_extension');
}
 
 
If in doubt, look at core functionality that does what you want to do, then work backwards through the code to figure out how to do it using the same methods as the core
if ($this->_tempFile && $this->_maxFileSize && filesize($this->_tempFile) > $this->_maxFileSize)
{
$this->_errors['fileSize'] = new XenForo_Phrase('uploaded_file_is_too_large');
}
 
if (!$this->_tempFile)
{
$this->_errors['fileSize'] = new XenForo_Phrase('uploaded_file_is_too_large_for_server_to_process');
}
 
$this->_errorsChecked = true;
}
If in doubt, look for core functionality that does a similar thing to what you want to do, then work backwards through the code, so that you can use the core methods for doing what you want to do
Great thanks for the reply, that's what I've done and I used that maxFileSize method, it's doing the work ;)