Secure an avatar's filename

2025-02-01 05:44:41 +03:00 · 2013-10-28 16:54:55 +04:00 · 2013-10-28 16:54:55 +04:00 · 4345070720
commit 4345070720
parent 7f4b1fa9cc
1 changed files with 2 additions and 2 deletions
--- a/src/mibew/operator/avatar.php
+++ b/src/mibew/operator/avatar.php
@ -46,8 +46,8 @@ if (!$op) {
 		$orig_filename = $_FILES['avatarFile']['name'];
 		$tmp_file_name = $_FILES['avatarFile']['tmp_name'];

-		$ext = strtolower(substr($orig_filename, 1 + strrpos($orig_filename, ".")));
-		$new_file_name = "$opId.$ext";
+		$ext = preg_replace('/\//', '', strtolower(substr($orig_filename, 1 + strrpos($orig_filename, "."))));
+		$new_file_name = intval($opId). ".$ext";

 		$file_size = $_FILES['avatarFile']['size'];
 		if ($file_size == 0 || $file_size > Settings::get('max_uploaded_file_size')) {