Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Bug: Avatar files with square close bracket "]" broken  (Read 5802 times)

0 Members and 1 Guest are viewing this topic.

bitcloud

  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 117
Bug: Avatar files with square close bracket "]" broken
« on: April 23, 2007, 11:30:49 am »

Hi again..

Another bug here... this time in avatar_manage.php.

If you select a previously uploaded file which contains a "]" (other characters seem to be ok to the best of my testing) the filename will break at that point.

ie a filename called "beach[sunrise].jpg" will display fine everywhere including the avatar manage, but as soon as you set it to your avatar you end up with avatar_manage.php, profile.php and comments (everywhere the avatar shows up) it tries to display a chopped filename - "beach"

It removes everything after (and including) the close square bracket from the avatar filename entry...

my users tend to use square brackets in their filenames, so if you can think of any way around this, that'd be muchly appreciated!

you can see this in action here:
http://stramm.st.funpic.org/profile.php?uid=127
« Last Edit: April 24, 2007, 10:31:53 am by Stramm »
Logged

Stramm

  • Moderator
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Male
  • Posts: 6006
    • Bettis Wollwelt
Re: Bug: Avatar files with square close bracket "]" broken
« Reply #1 on: April 24, 2007, 10:06:42 am »

known problem, you reported that some time back
http://forum.coppermine-gallery.net/index.php?topic=42658.0

Problem isn't sanitizing. It's how the input tag and its attributes work. the ] ends the name attribute, and that one is used to pass the filename. For example
Code: [Select]
<input type="checkbox" id="checkall" name="list[samplefile[No1].jpg]" value="123" />
so we just encode the name and all's good

in avatar_manage.php find
Code: [Select]
$filename=$CONFIG['mini_pfx'].$i['filename'];and replace with
Code: [Select]
$filename=$CONFIG['mini_pfx'].urlencode($i['filename']);

bitcloud

  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 117
Re: Bug: Avatar files with square close bracket "]" broken
« Reply #2 on: April 24, 2007, 10:22:46 am »

Thanks.. thats fixed it

I think the other problem is independent of this bug. It seems to be a problem with the main code... for now i've just avoided uploading from URL's
Logged

Stramm

  • Moderator
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Male
  • Posts: 6006
    • Bettis Wollwelt
Re: Bug: Avatar files with square close bracket "]" broken
« Reply #3 on: April 24, 2007, 10:31:20 am »

I do not have any problems with uploading images containing square brackets for use as avatars - the avatar manage renames them to user_1000+uid_avatar.jpg as it should be
Pages: [1]   Go Up
 

Page created in 0.019 seconds with 20 queries.