What do we have to check when uploading an avatar / image ?

account8226 · May 5, 2013

Hello,

I'm making an addon where anyone can upload a custom logo for their page.

I'm correctly uploading the file, but I am afraid to forgot something.

Actually, I'm checking the following :

if (!$logo->isImage())
if (!in_array($imageType, array(IMAGETYPE_GIF, IMAGETYPE_JPEG, IMAGETYPE_PNG))

Anything else that could check to improve security ?

Regards.

account8226 · May 8, 2013

Ok, after spending few hours onto this, I just would like to check the image size (not bigger than 1MB).

Any ideas ?

tenants · May 16, 2013

Have a look at XenForo_ControllerPublic_Account::actionAvatarUpload

and then look at $avatarModel->uploadAvatar (or XenForo_Model_Avatar::uploadAvatar )

Since the core already does this, you can easily use a similar functionality to the core.

You can see that the model checks:
$largestDimension = $this->getSizeFromCode('l');
$upload->isValid()

and
XenForo_Upload::isValid()

checks quite a few things:

Code:

protected function _checkForErrors()
{
$this->_checkImageState();
 
if ($this->_allowedExtensions && !in_array($this->_extension, $this->_allowedExtensions))
{
$this->_errors['extension'] = new XenForo_Phrase('uploaded_file_does_not_have_an_allowed_extension');
}
 
 
If in doubt, look at core functionality that does what you want to do, then work backwards through the code to figure out how to do it using the same methods as the core
if ($this->_tempFile && $this->_maxFileSize && filesize($this->_tempFile) > $this->_maxFileSize)
{
$this->_errors['fileSize'] = new XenForo_Phrase('uploaded_file_is_too_large');
}
 
if (!$this->_tempFile)
{
$this->_errors['fileSize'] = new XenForo_Phrase('uploaded_file_is_too_large_for_server_to_process');
}
 
$this->_errorsChecked = true;
}

If in doubt, look for core functionality that does a similar thing to what you want to do, then work backwards through the code, so that you can use the core methods for doing what you want to do

account8226 · May 16, 2013

tenants said:
Have a look at XenForo_ControllerPublic_Account::actionAvatarUpload

and then look at $avatarModel->uploadAvatar (or XenForo_Model_Avatar::uploadAvatar )

Since the core already does this, you can easily use a similar functionality to the core.

You can see that the model checks:
$largestDimension = $this->getSizeFromCode('l');
$upload->isValid()

and
XenForo_Upload::isValid()

checks quite a few things:

Code:

protected function _checkForErrors() { $this->_checkImageState(); if ($this->_allowedExtensions && !in_array($this->_extension, $this->_allowedExtensions)) { $this->_errors['extension'] = new XenForo_Phrase('uploaded_file_does_not_have_an_allowed_extension'); } If in doubt, look at core functionality that does what you want to do, then work backwards through the code to figure out how to do it using the same methods as the core if ($this->_tempFile && $this->_maxFileSize && filesize($this->_tempFile) > $this->_maxFileSize) { $this->_errors['fileSize'] = new XenForo_Phrase('uploaded_file_is_too_large'); } if (!$this->_tempFile) { $this->_errors['fileSize'] = new XenForo_Phrase('uploaded_file_is_too_large_for_server_to_process'); } $this->_errorsChecked = true; }

If in doubt, look for core functionality that does a similar thing to what you want to do, then work backwards through the code, so that you can use the core methods for doing what you want to do

Great thanks for the reply, that's what I've done and I used that maxFileSize method, it's doing the work

What do we have to check when uploading an avatar / image ?

account8226

Guest

account8226

Guest

tenants

Well-known member

account8226

Guest

Similar threads

We value your privacy