file check during upload is based on extension verification against a hardcoded extension list. User can change file extension and upload basically any file he wants. Although there is some security set for /upload directory, you may want to limit upload to real graphic files. In such case you should add following code to /lib/plugin/Upload.php:
elseif ( !getimagesize( $userfile_tmpname ) ) {
$message->pushContent(fmt("ERROR uploading '%s': ",$userfile_name));
$message->pushContent(_("Sorry but this file does not have an image format."),HTML::br(),HTML::br());
}
You can put this after a block "elseif ($userfile->getSize() > (MAX_UPLOAD_SIZE))"
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
file check during upload is based on extension verification against a hardcoded extension list. User can change file extension and upload basically any file he wants. Although there is some security set for /upload directory, you may want to limit upload to real graphic files. In such case you should add following code to /lib/plugin/Upload.php:
elseif ( !getimagesize( $userfile_tmpname ) ) {
$message->pushContent(fmt("ERROR uploading '%s': ",$userfile_name));
$message->pushContent(_("Sorry but this file does not have an image format."),HTML::br(),HTML::br());
}
You can put this after a block "elseif ($userfile->getSize() > (MAX_UPLOAD_SIZE))"