Avatar size/extension check

**NEC** · 03-08-2007, 12:09 AM

Hi
there should be checks for size and extension. i'm proposing that we should check these because of
1. avoiding unnecessary storage of big files
2. avoiding upload of dangerous non-image files like naughtyfile.jpg.vbs

**dollars5** · 03-08-2007, 01:59 AM

Good suggestion, We can do a client side check for extension.

Size - we can resize anything

at server.

**kbeeveer46** · 03-08-2007, 05:40 AM

The class.pThumb.php file that handles the image uploads I believe already checks for file extensions. Now, I'm not sure about checking to see how big the original image is.

**NEC** · 03-08-2007, 06:10 AM

Originally Posted by dollars5

Good suggestion, We can do a client side check for extension.

Size - we can resize anything

at server.

client-side check is not sufficient because a user knowing a little HTML can easily by-pass.

**bergs** · 03-08-2007, 07:25 AM

The class.pThumb.php file does check for extentions.

I've been trying to figure out a way to add a few lines of code to the class.pThumb.php file that will crop all uploaded images to an equal 100 x 100 size.

Any ideas?

**NEC** · 03-09-2007, 08:57 AM

crop size can be set afaik but point is pligg stores the original image also. for example, one can upload a 1 mb file. even after cropping to 30 and 15, 1 mb file is still there eating storage.

**bergs** · 03-09-2007, 09:45 AM

NEC,

I discovered that too - I agree, keeping users original photos is not a good idea! I really have been having a lot of problems with the current avatar upload code in pligg 9.

Especially with caching of avatars. I have done some research and found that using time() in the filename can act as a work around. But it can't work with the current codebase. The current code just looks for {$user}_120.jpg after a user has submitted "useruploaded" to the db.

And, another problem with the current avatar uploader in pligg 9 is if a user selects the "I'd like to upload my avatar" radio and submits, then navigates to another page without uploading an image the image will appear as missing/broken rather than the default gravatar showing as it did with pligg 7.

-bergs

**cent** · 03-09-2007, 11:12 AM

Why not just modify the routine to unlink the original file after it has been successfully been resized? Afaik there isn't a way to change the avatar sizes in the admin and update all of the existing avatars to match so the original will never be needed again.

For changing avatars there should be some sort of javascript check to prevent people from changing it without actually uploading something. OR... a file check to see if the avatar exists and if not, then show a default image.