Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve avatar upload experience #3181

Merged
merged 4 commits into from
Dec 1, 2021
Merged

Improve avatar upload experience #3181

merged 4 commits into from
Dec 1, 2021

Conversation

askvortsov1
Copy link
Sponsor Member

Fixes #3055

  • On the frontend, accept only image types as a hint to the OS file picker
  • On the backend, use getimagesize as an additional validation guard against non-image files with image extensions. This isn't necessary for security, but results in less confusing error mesages.

askvortsov1 and others added 2 commits November 25, 2021 16:40
@askvortsov1
Improve avatar upload experience
720f7dd 
Fixes #3055

- On the frontend, accept only image types as a hint to the OS file picker
- On the backend, use `getimagesize` as an additional validation guard against non-image files with image extensions. This isn't necessary for security, but results in less confusing error mesages.
@askvortsov1 @StyleCIBot
Apply fixes from StyleCI
56fcbb6 
[ci skip] [skip ci]
@askvortsov1 askvortsov1 added this to the 1.2 milestone Nov 25, 2021
SychO9
SychO9 reviewed Nov 25, 2021
View reviewed changes
src/User/AvatarValidator.php Outdated
Comment on lines 69 to 73
if (! in_array($guessedExtension, $allowedTypes)) {
$stream = $file->getStream();
$tmpFilename = $stream->getMetadata('uri');
$notImage = ! getimagesize($tmpFilename);

if ($notImage || ! in_array($guessedExtension, $allowedTypes)) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

getimagesize doesn't seem to be a reliable way of checking if the file is an image (https://www.php.net/manual/en/function.getimagesize.php)

I'm thinking it might be better to catch errors when creation the intervention image object, logging the error in the logs, and returning a better response to the end user.

Copy link
Sponsor Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed to use that logic

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wouldn't get rid of the mimes check though 🤔 ? the try catch should act as a second check.

@askvortsov1 askvortsov1 merged commit c522657 into master Dec 1, 2021
@askvortsov1 askvortsov1 deleted the as/avatar_upload_tweaks branch December 1, 2021 20:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tankerkiller125 tankerkiller125 tankerkiller125 approved these changes

@davwheat davwheat davwheat approved these changes

@clarkwinkelmann clarkwinkelmann Awaiting requested review from clarkwinkelmann

@SychO9 SychO9 Awaiting requested review from SychO9

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.2
Development

Successfully merging this pull request may close these issues.

Avatar Upload throws a 500 error when file mimetype is incorrect but extension is correct
4 participants
@askvortsov1 @tankerkiller125 @davwheat @SychO9