Better checks on image type for photos:

-> mime_content_type MUST begin with image/
-> if image processing fails, do not submit the validation

git-svn-id: svn+ssh://murphy/home/svn/platal/trunk@1502 839d8a87-29fc-0310-9880-83ba4fa771e5

diff --git a/ChangeLog b/ChangeLog
index a2baeb6..46b06bc 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -11,6 +11,9 @@ New:
 
 Bug/Wish:
 
+    * Profile:
+        - Better checks on image type for photos                           -FRU
+
     * Xnet:
         - #639: Fix the number of pages                                    -FRU
 

diff --git a/include/validations/photos.inc.php b/include/validations/photos.inc.php
index 3a7e452..07c2adc 100644 (file)
--- a/include/validations/photos.inc.php
+++ b/include/validations/photos.inc.php
@@ -31,6 +31,7 @@ class PhotoReq extends Validate
     var $y;
 
     var $unique = true;
+    var $valid  = false;
 
     var $rules = "Refuser les photos copyrightées, de mineurs, ou ayant
     un caractère pornographique, violent, etc... Si une photo est mal
@@ -45,7 +46,7 @@ class PhotoReq extends Validate
     function PhotoReq($_uid, $_data, $_stamp=0)
     {
         $this->Validate($_uid, true, 'photo', $_stamp);
-        $this->_get_image($_data);
+        $this->valid = $this->_get_image($_data);
     }
 
     // }}}
@@ -111,6 +112,14 @@ class PhotoReq extends Validate
     }
 
     // }}}
+    // {{{ function isValid()
+
+    function isValid()
+    {
+        return $this->valid;
+    }
+
+    // }}}
     // {{{ function get_request()
 
     function get_request($uid)
@@ -140,7 +149,7 @@ class PhotoReq extends Validate
         if (isset($_FILES['userfile']['tmp_name'])) {
             $file = $_FILES['userfile']['tmp_name'];
             if ($data = file_get_contents($file)) {
-                if ($this->_get_image($data)) {
+                if ($this->valid = $this->_get_image($data)) {
                     return true;
                 }
             } else {

diff --git a/modules/profile.php b/modules/profile.php
index b4a2c2a..efa3076 100644 (file)
--- a/modules/profile.php
+++ b/modules/profile.php
@@ -124,16 +124,19 @@ class ProfileModule extends PLModule
                     .'/'.S::v('forlife').'.jpg';
 
         if (Env::has('upload')) {
-            if (isset($_FILES['userfile']['tmp_name']) 
-                    && !is_uploaded_file($_FILES['userfile']['tmp_name'])) {
+            if (isset($_FILES['userfile']['tmp_name']) && !is_uploaded_file($_FILES['userfile']['tmp_name'])) {
                 $page->trig('Une erreur s\'est produite lors du transfert du fichier');
-            } else {
+            } elseif (strpos(trim(mime_content_type($_FILES['userfile']['tmp_name'])), 'image/') !== 0) {
+                $page->trig('Le fichier que tu as transmis n\'est pas une image.');
+            } else {            
                 $file = is_uploaded_file($_FILES['userfile']['tmp_name'])
                         ? $_FILES['userfile']['tmp_name']
                         : Env::v('photo');
                 if ($data = file_get_contents($file)) {
                     $myphoto = new PhotoReq(S::v('uid'), $data);
-                    $myphoto->submit();
+                    if ($myphoto->isValid()) {
+                        $myphoto->submit();
+                    }
                 } else {
                     $page->trig('Fichier inexistant ou vide');
                 }
@@ -141,7 +144,7 @@ class ProfileModule extends PLModule
         } elseif (Env::has('trombi')) {
             $myphoto = new PhotoReq(S::v('uid'),
                                     file_get_contents($trombi_x));
-            if ($myphoto) {
+            if ($myphoto->isValid()) {
                 $myphoto->commit();
                 $myphoto->clean();
             }