From 43450707203f15d644636c11326608593adf0d78 Mon Sep 17 00:00:00 2001 From: "Fedor A. Fetisov" Date: Mon, 28 Oct 2013 16:54:55 +0400 Subject: [PATCH] Secure an avatar's filename --- src/mibew/operator/avatar.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/mibew/operator/avatar.php b/src/mibew/operator/avatar.php index 233df0dc..054b0991 100644 --- a/src/mibew/operator/avatar.php +++ b/src/mibew/operator/avatar.php @@ -46,8 +46,8 @@ if (!$op) { $orig_filename = $_FILES['avatarFile']['name']; $tmp_file_name = $_FILES['avatarFile']['tmp_name']; - $ext = strtolower(substr($orig_filename, 1 + strrpos($orig_filename, "."))); - $new_file_name = "$opId.$ext"; + $ext = preg_replace('/\//', '', strtolower(substr($orig_filename, 1 + strrpos($orig_filename, ".")))); + $new_file_name = intval($opId). ".$ext"; $file_size = $_FILES['avatarFile']['size']; if ($file_size == 0 || $file_size > Settings::get('max_uploaded_file_size')) {