From 03ddfbbaf1ba078df16638c642f8a3a9d8ca8c1c Mon Sep 17 00:00:00 2001 From: Fyorl Date: Fri, 15 Jun 2012 14:10:20 +0100 Subject: [PATCH 1/3] [ticket/10963] Modified filespec::is_image() to check actual mimetype Modified filespec::is_image() to check the Fileinfo mimetype rather than trusting the browser. PHPBB3-10963 --- phpBB/includes/functions_upload.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/phpBB/includes/functions_upload.php b/phpBB/includes/functions_upload.php index f70e20e616..f3ae9d6cc4 100644 --- a/phpBB/includes/functions_upload.php +++ b/phpBB/includes/functions_upload.php @@ -151,7 +151,10 @@ class filespec */ function is_image() { - return (strpos($this->mimetype, 'image/') !== false) ? true : false; + $finfo = new finfo(FILEINFO_MIME_TYPE); + $mimetype = $finfo->file($this->filename); + + return (strpos($mimetype, 'image/') !== false) ? true : false; } /** @@ -342,6 +345,7 @@ class filespec // Remove temporary filename @unlink($this->filename); + $this->filename = $this->destination_file; if (sizeof($this->error)) { From f208b59c5984e686a3589eb83d5edb0b69bc020b Mon Sep 17 00:00:00 2001 From: Fyorl Date: Tue, 19 Jun 2012 13:27:27 +0100 Subject: [PATCH 2/3] [ticket/10963] Removed superfluous ternary statement and strpos now stricter PHPBB3-10963 --- phpBB/includes/functions_upload.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/includes/functions_upload.php b/phpBB/includes/functions_upload.php index f3ae9d6cc4..aedf361000 100644 --- a/phpBB/includes/functions_upload.php +++ b/phpBB/includes/functions_upload.php @@ -154,7 +154,7 @@ class filespec $finfo = new finfo(FILEINFO_MIME_TYPE); $mimetype = $finfo->file($this->filename); - return (strpos($mimetype, 'image/') !== false) ? true : false; + return (strpos($mimetype, 'image/') === 0); } /** From 4fbcf4eaadea0425c7f8bf0ff02a60bd2165136b Mon Sep 17 00:00:00 2001 From: Fyorl Date: Wed, 4 Jul 2012 13:27:55 +0100 Subject: [PATCH 3/3] [ticket/10963] filespec::get_mimetype now used filespec::get_mimetype now uses the finfo class in order to detect the mimetype of a given filename. filespec::is_image() now uses this method. PHPBB3-10963 --- phpBB/includes/functions_upload.php | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/phpBB/includes/functions_upload.php b/phpBB/includes/functions_upload.php index aedf361000..33cb585b19 100644 --- a/phpBB/includes/functions_upload.php +++ b/phpBB/includes/functions_upload.php @@ -151,9 +151,7 @@ class filespec */ function is_image() { - $finfo = new finfo(FILEINFO_MIME_TYPE); - $mimetype = $finfo->file($this->filename); - + $mimetype = $this->get_mimetype($this->filename); return (strpos($mimetype, 'image/') === 0); } @@ -203,17 +201,12 @@ class filespec } /** - * Get mimetype. Utilize mime_content_type if the function exist. - * Not used at the moment... + * Get mimetype. Utilises the finfo class. */ function get_mimetype($filename) { - $mimetype = ''; - - if (function_exists('mime_content_type')) - { - $mimetype = mime_content_type($filename); - } + $finfo = new finfo(FILEINFO_MIME_TYPE); + $mimetype = $finfo->file($filename); // Some browsers choke on a mimetype of application/octet-stream if (!$mimetype || $mimetype == 'application/octet-stream')