Uploading of Avatars

SpacePhoenix · September 6, 2016, 7:21pm

How safe is this method for dealing with files submitted for use as an avatar?

    /*
    For live site if someone isn't logged in, the script will end
    */
    if (!isset($_SESSION['user_id'])) {
        $user_id = 0;
    } else {
        $user_id = $_SESSION['user_id'];
    }
    
    if ( $_SERVER['HTTP_REFERER'] <> 'http://localhost/universal_empires/usercp/uploadavatar' ) {
        $this->sys_message->add_sys_message('e','Access Denied!',"Sorry, something went wrong with this page, the Administrators have been alterted!",'http://localhost/universal_empires/usercp/uploadavatar');
        return false;        
    }        
    
    if ( !is_uploaded_file($_FILES['upload']['tmp_name']) ) {
        $this->sys_message->add_sys_message('e','No Avatar Selected!',"Sorry, you didn't select a image to use as an avatar! You Numpty!",'http://localhost/universal_empires/usercp/uploadavatar');
        return false;
    }
    
    if ($_FILES['upload']['size'] > 8192 ) {

        $this->sys_message->add_sys_message('e','File Too Large!',"Sorry, the file is too large! You Numpty!",'http://localhost/universal_empires/usercp/uploadavatar');
        return false;
    }

    $avatar_name = 'C:\wamp\www\universal_empires\public\avatars\avatar_u'.$user_id.'.png';
    $avatar = imagepng(imagecreatefromstring(file_get_contents($_FILES['upload']['tmp_name'])), $avatar_name);

I know that I need to add a bit to shrink the size of the image (width and height). Are there any obvious security flaws that I’ve missed?

spaceshiptrooper · September 18, 2016, 3:28am

You should also use mime_content_type as well. It is now supported in PHP 7 if you are using it. I highly suggest to not check for file extensions as it is not reliable and can be spoofed.

SpacePhoenix · September 18, 2016, 8:46am

I’m not checking for file extensions,


    $avatar = imagepng(imagescale(imagecreatefromstring(file_get_contents($_FILES['upload']['tmp_name'])),250,250), $avatar_name);
    
    if ($avatar === null ) {
        $this->sys_message->add_sys_message('e','Invalid File Type!',"Sorry, the file of the wrong type for an avatar! You Numpty!",'http://localhost/universal_empires/usercp/uploadavatar');
        return false;        
    }

I look out for imagepng() returning null upon attempting to create a PNG.

SpacePhoenix · December 18, 2016, 3:47pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.