[ticket/11534] Check remote avatar content type if possible

This should make sure that error pages like 404 or 503 pages are not treated as remote avatar images. PHPBB3-11534
2025-07-31 05:50:42 +02:00 · 2013-10-24 21:03:06 +02:00
parent 2adf3d7a34
commit 9b0b5481fe
2 changed files with 40 additions and 0 deletions
--- a/phpBB/phpbb/avatar/driver/remote.php
+++ b/phpBB/phpbb/avatar/driver/remote.php
@@ -125,6 +125,37 @@ class remote extends \phpbb\avatar\driver\driver
 		$types = \fileupload::image_types();
 		$extension = strtolower(\filespec::get_extension($url));

+		// Check if this is actually an image
+		if ($file_stream = @fopen($url, 'r'))
+		{
+			// Timeout after 1 second
+			stream_set_timeout($file_stream, 1);
+			$meta = stream_get_meta_data($file_stream);
+			foreach ($meta['wrapper_data'] as $header)
+			{
+				$header = preg_split('/ /', $header, 2);
+				if (strtr(strtolower(trim($header[0], ':')), '_', '-') === 'content-type')
+				{
+					if (strpos($header[1], 'image/') !== 0)
+					{
+						$error[] = 'AVATAR_URL_INVALID';
+						fclose($file_stream);
+						return false;
+					}
+					else
+					{
+						fclose($file_stream);
+						break;
+					}
+				}
+			}
+		}
+		else
+		{
+			$error[] = 'AVATAR_URL_INVALID';
+			return false;
+		}
+
 		if (!empty($image_data) && (!isset($types[$image_data[2]]) || !in_array($extension, $types[$image_data[2]])))
 		{
 			if (!isset($types[$image_data[2]]))