#13906 Invalid files will be silently ignored

git-svn-id: file:///svn/phpbb/trunk@7989 89ea8834-ac86-4346-8a33-228a782c2dd0
2025-06-27 21:58:52 +00:00 · 2007-07-31 16:31:30 +00:00 · 2007-07-31 16:31:30 +00:00 · cef5720962
commit cef5720962
parent de8c0a3b9c
2 changed files with 2 additions and 2 deletions
--- a/phpBB/docs/CHANGELOG.html
+++ b/phpBB/docs/CHANGELOG.html
@ -191,6 +191,7 @@ p a {
 	<ul class="menu">
 		<li>[Fix] MySQL, PostgreSQL and SQLite related database fixes (Bug #13862)</li>
 		<li>[Fix] Allow MS SQL to properly connect when using the mssql driver and PHP is less than either 4.4.1 or 5.1 (Bug #13874)</li>
 		<li>[Fix] Ignore files containging HTML special chars in the filenames as gallery avatars (Bug #13906)</li>
 		<li>[Fix] Multiple PM recipients not separated (Bug #13876)</li>
 	</ul>
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@ -1981,14 +1981,13 @@ function avatar_gallery($category, $avatar_select, $items_per_column, $block_var
 				$dp2 = @opendir("$path/$file");
 				while (($sub_file = readdir($dp2)) !== false)
 				{
-					if (preg_match('#\.(?:gif|png|jpe?g)$#i', $sub_file))
+					if (preg_match('#^[^&"<>]*\.(?:gif|png|jpe?g)$#i', $sub_file))
 					{
 						$avatar_list[$file][$avatar_row_count][$avatar_col_count] = array(
 							'file'		=> "$file/$sub_file",
 							'filename'	=> $sub_file,
 							'name'		=> ucfirst(str_replace('_', ' ', preg_replace('#^(.*)\..*$#', '\1', $sub_file))),
 						);
 						$avatar_col_count++;
 						if ($avatar_col_count == $items_per_column)
 						{