View Issue Details

IDProjectCategoryView StatusLast Update
0000711XMB Hacks 1.9.xpublic2024-05-03 12:09
Reporterflushedpancake Assigned To 
Status newResolutionopen 
Summary0000711: Avatar upload hack no longer works
DescriptionNot only does trying to do svn patch not work (it creates broken php files and rejects the whole patch which is annoying), but trying to manually add the stuff just comes up a blank screen.

Also the instructions for cp.php refer to lines which no longer exist in the cp.php file it seems.

I'm not at my main pc at the moment and I forgot to turn error display back on on localhost after reinstalling linux so I'll fetch that in a bit.
TagsNo tags attached.



2024-05-02 16:29

reporter   ~0000510

Some other notes:
-the avatar uploader doesn't allow you to use 'jpeg', 'jpe' or 'jfif' as an extension, which are perfectly valid JPEG formats (the first one of which is seen on iOS)
-webp support should probably be added as the avatar url can handle it just fine
-the token it uses is extremely insecure (md5 hashing the username? really?)
-for some odd reason, it allows uploading BMP files which won't even be displayed by the browser anyways and will take lots of space up on the server
-it should probably do checks if the gd extension is installed and whether the folder is writable - if both of these fail, fallback to the url system instead

I shouldn't ramble on too much about the issues, though


2024-05-03 12:07

reporter   ~0000511

This makes even less sense now I turned on error display...

            require ROOT.'include/';
            $attachlimits = ' '.$lang['attachmaxsize'].' '.getSizeFormatted($SETTINGS['maxattachsize']).'. '.$lang['attachmaxdims'].' '.$SETTINGS['max_image_size'].'.';


2024-05-03 12:08

reporter   ~0000512

Also, this causes a crash too:

            // Avatar Upload Translation
            if (!isset($lang['avatar_upload'])) {
                setNewLangValue('avatar_upload', 'Upload Avatar:');

However, the code still works properly with the 'eval' removed from what I can tell


2024-05-03 12:09

reporter   ~0000513

Oh I forgot to mention that the actual php error in comment 511 is 'call to undefined function'.
You know, right after the line telling the system to require the file that includes that very function.

Issue History

Date Modified Username Field Change
2024-05-02 16:24 flushedpancake New Issue
2024-05-02 16:29 flushedpancake Note Added: 0000510
2024-05-03 12:07 flushedpancake Note Added: 0000511
2024-05-03 12:08 flushedpancake Note Added: 0000512
2024-05-03 12:09 flushedpancake Note Added: 0000513