Skip to:
Content
Pages
Categories
Search
Top
Bottom

Prevent users from uploading non-image files as Avatar/Profile Image?


  • jenny26
    Participant

    @jenny26

    5 years, 8 months ago

    I was told it’s a security risk, so I’m trying to prevent users from uploading non-image files as avatars and profile images. Currently it seems any file can be renamed to .jpg/png/gif and it will upload successfully.

    I was trying to run it through “getimagesize” to determine if the file is an actual image, but can’t get it to work. Here’s an example:

    function check_avatar_upload() {
global $bp;
$size = getimagesize($bp->avatar_admin->original['file']);
  if ($size === false ) {
return false;
	}
}

add_action( 'bp_core_check_avatar_upload', 'check_avatar_upload', 10, 3 );

    (added it to bp-custom.php; other functions in there work fine).

    Not sure if I’m even hooking on the right function, or getting the original file correctly. I googled for the past few hours and couldn’t find specific code, tried dozens of different variations and I keep failing.

    I’m pretty new to this and would appreciate any help, thanks!

Viewing 4 replies - 1 through 4 (of 4 total)

  • shanebp
    Moderator

    @shanebp

    5 years, 8 months ago

    Try using this hook bp_core_pre_avatar_handle_upload
    Found in buddypress\bp-core\bp-core-avatars.php


    jenny26
    Participant

    @jenny26

    5 years, 8 months ago

    Returns “An error occurred. Please try again later.” for all uploads, including legit images.


    jenny26
    Participant

    @jenny26

    5 years, 8 months ago

    In case anyone’s curious, I ended up changing the following in bp-core-avatars.php:

    	// If the uploaded image is smaller than the "full" dimensions, throw a warning.
	if ( $avatar_attachment->is_too_small( $bp->avatar_admin->image->file ) ) {
		bp_core_add_message( sprintf( __( 'You have selected an image that is smaller than recommended. For best results, upload a picture larger than %d x %d pixels.', 'buddypress' ), bp_core_avatar_full_width(), bp_core_avatar_full_height() ), 'error' );
	}

    Changed to: 

    	// If the uploaded image is smaller than the "full" dimensions, throw a warning.
	if ( $avatar_attachment->is_too_small( $bp->avatar_admin->image->file ) ) {
return false;	
	}

    I realize changing anything in core files is a terrible idea, but no clue how to make it work otherwise. This basically doesn’t allow uploading any file under minimum dimensions.

    I’ve been trying the same thing in bp-custom.php:

    function check_avatar_upload() {
global $bp;
if ( $avatar_attachment->is_too_small( $bp->avatar_admin->image->file ) ) {
	return false;
}
}
add_action( 'bp_core_pre_avatar_handle_upload', 'check_avatar_upload', 10, 3 );

    When in bp-custom.php the above results in “HTTP error.” for all uploads. Changing the action to bp_core_avatar_handle_upload just uploads everything.

    Hopefully it helps someone at least a little bit.


    shanebp
    Moderator

    @shanebp

    5 years, 8 months ago

    You should read up on what they do and how to use action and filter hooks.

    Untested, just to give you the general idea..

    function jen_check_avatar_upload( true, $file, $upload_dir_filter ) {

   // check the $file re type, dims, etc
   // if you don't like the value of any param, 
   // return false

   return true;

}
add_action( 'bp_core_pre_avatar_handle_upload', 'jen_check_avatar_upload', 10, 3 );
Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.

Topic Info

Topic Tags

Skip to toolbar