From 23d2798b6daeab2afaa605dfaeb49dfb718e306f Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Sat, 12 Feb 2011 19:12:51 +0100 Subject: [PATCH] [ticket/10038] Use request_var() in the avatar code path of download/file.php There is no reason not to use request_var() here because it is available anyway since 3afd2c6948e777fde2f43f00bff1659f2691f4d8. This change especially prevents submitting an array which might then throw an error in one of the string functions substr() or strpos() later on. PHPBB3-10038 --- phpBB/download/file.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/download/file.php b/phpBB/download/file.php index 5f45b88359..f5a766dd57 100644 --- a/phpBB/download/file.php +++ b/phpBB/download/file.php @@ -64,7 +64,7 @@ if (isset($_GET['avatar'])) $browser = (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : 'msie 6.0'; $config = $cache->obtain_config(); - $filename = $_GET['avatar']; + $filename = request_var('avatar', ''); $avatar_group = false; $exit = false;