Avatar upload problem since update to 2.0.17 [2 solutions]

[Illuminatus]

I can't upload avatars since the update to 2.0.17 anymore. It worked on 2.0.16. I changed my folder to 777 and made sure the admin settings still point to that folder.

After trying to upload, the debug tells me about filesizerestriction, which in reality is met but seems to be miscalculated (uploading a 20x20px file, when 400x400 is allowed).

So... any ideas? What has happened since the last update? Which detective will solve this case?

Oh... for sake of bureaucracy:
URL: [deleted fpr security reasons]
Template(s) used: subSilver
Any and all MODs: None
Do you use a port of phpBB: No
Version of phpBB: 2.0.17
Version of PHP: 4.1.2
Which database server and version: MySQL 3.23.49
Host: Myself on shared server
Did someone install this for you/who: No
Is this an upgrade/from what to what: From 2.0.16
Is this a conversion/from what to what: No
Have you searched for your problem: Yes
If so, what terms did you try: Avatar Upload
State the nature of your problem: can't upload avatars since the update to 2.0.17
Do you have a test account for us: No

[Stefan Koopmanschap]

I must admit I have no idea even where to start looking. I've notified the rest of the Support Team of this thread, hopefully someone else will be able to help you.

[CTCNetwork]

Hi,

I have a clean test forum, and have updated with the changed files updates from 2.0.15 to 2.0.16 and now 2.0.17..

I have just uploaded a new avatar - no issue at all...

So, is there something else amiss like Zend or something??

Can you create a phpinfo file please...

Des. . .

[Illuminatus]

Thanks for your immediate response.
The phpinfo() can be (temporarily) found here: [deleted fpr security reasons]
Updated above information with MySQL 3.23.49 and phpversion information.

I am a heavy user of phpBB since 1.x and this is the first time i could't fix a phpBB related issue on my own. So your help is very much appreciated.

As additional information I am running my server with safemode and php_admin_value open_basedir set to /var/kunden/webs/web1/ . I am running apache as www-data user and ftp works on a mysql driven virtual user (via syscp).

Must "funny" thing is that all was running well until the update. Strange...

[freshSparks]

i was having this same problem on a brand new 2.0.17 board. fixed after editing php.ini on the server and setting an actual upload_tmp_dir intead of using defaults. i set my to /tmp/phpupload and chmod'd it 777 and it was all gravy

[Illuminatus]

But I did noch change any server settings, so phpBB must have changed. I will ask my host if the changed anything on the shared server...

Update information:
I debugged by adding echo commands and found out that variables in usercp_avatar.php are empty, which results the conditional to fail:

Code: Select all

	if ( $width > 0 && $height > 0 && $width <= $board_config['avatar_max_width'] && $height <= $board_config['avatar_max_height'] )

The variables are set with:

Code: Select all

list($width, $height) = @getimagesize($avatar_filename);

@getimagesize($avatar_filename) also results in an empty value, but $avatar_filename=/tmp/phpjwNKoM (which indicates, that something has been written).

So the real question may be, why these variables are empty.

[Illuminatus]

Can someone help with the updated additional information?
The variables were checked with

Code: Select all

		echo("CUSTOM 3!!!");
		echo("width=$width");
		echo("height=$height");
		echo("imagesize=".@getimagesize($avatar_filename));
		echo("avatar_filename=".$avatar_filename);

in the else-path of the condition.

Uploading files with another php script works just fine...

[Illuminatus]

Update:
I tried usercp_avatar.php,v 1.8.2.17 and all works fine there. So the problem seems to be on phpBB's side of handling fileuploads, not on serverside.

Diffs are:

Code: Select all

//new
	$avatar_file = basename($avatar_file);

//new
	$avatar_filename = str_replace(array('../', '..\\', './', '.\\'), '', $avatar_filename);
	if ($avatar_filename{0} == '/' || $avatar_filename{0} == "\\")
	{
		return '';
	}

//new
	global $lang;

//changed
if ( !preg_match("#^((ht|f)tp://)([^ \?&=\#\"\n\r\t<]*?(\.(jpg|jpeg|gif|png))$)#is", $avatar_filename) )

//changed
if ( $width > 0 && $height > 0 && $width <= $board_config['avatar_max_width'] && $height <= $board_config['avatar_max_height'] )

//new
			if (!is_uploaded_file($avatar_filename))
			{
				message_die(GENERAL_ERROR, 'Unable to upload file', '', __LINE__, __FILE__);
			}

Maybe http://de3.php.net/manual/de/function.getimagesize.php is used wrong.
I also used

Code: Select all

echo("width=".$width."height=".$height);

on the old version and it came up with empty values. So definitely getimagesize() never worked this way, but empty values were ignored in the older version.

So I'll be using the old version until the problem is solved...

[Illuminatus]

My temporary fix comes down to this:
Replaced in new version of usercp_avatar.php:

Code: Select all

if ( $width > 0 && $height > 0 && $width <= $board_config['avatar_max_width'] && $height <= $board_config['avatar_max_height'] )

With:

Code: Select all

if ( $width <= $board_config['avatar_max_width'] && $height <= $board_config['avatar_max_height'] )

But someone competent should fix that (improper use of getimagesize()).

[YGT]

My problem like this .
I upgrade my data 0.13 to 0.17 and when I try to upload a avatar I see this error message!

Warning: copy(./images/avatars/100980801742e0c87a186b7.jpg): failed to open stream: Permission denied in /home/cagatay/public_html/forum17/includes/usercp_avatar.php on line 241

Warning: Cannot modify header information - headers already sent by (output started at /home/cagatay/public_html/forum17/includes/usercp_avatar.php:241) in /home/cagatay/public_html/forum17/includes/page_header.php on line 475

Warning: Cannot modify header information - headers already sent by (output started at /home/cagatay/public_html/forum17/includes/usercp_avatar.php:241) in /home/cagatay/public_html/forum17/includes/page_header.php on line 477

Warning: Cannot modify header information - headers already sent by (output started at /home/cagatay/public_html/forum17/includes/usercp_avatar.php:241) in /home/cagatay/public_html/forum17/includes/page_header.php on line 478


So, what is this!. How can I access this problem

[Illuminatus]

This has nothing to do with my problem, but

failed to open stream: Permission denied

tells me that your permissions are not correctly set. Try chmod your avatarfolder to 777. For more info on how to do that use the search function on keywords "avatar", "chmod" and "upload". If you can't chmod your folders on your host, you will have to leave the upload function alone or change to another host.

[YGT]

I check the directory permissions but also, all right permissions as assigned! How can I access it

[Illuminatus]

The code in question is:

Code: Select all

$move_file($avatar_filename, './' . $board_config['avatar_path'] . "/$new_filename");

The error message still tells me that you are not allowed to use the copy command, which means you are not privileged to do filecopy. Reasons may be server- or foldersettings, which restrict you doing so. Still has nothing to do with my original problem...

[Illuminatus]

The problem mentioned in the first post comes all down to this:

Code: Select all

@getimagesize($avatar_filename);

But getimagesize() has not the rights needed to read in the /tmp folder. To get avatar upload working without changing my serversystem, I will permanently use my mentioned fix. Hope this is not a security risk... I wonder why no one else has come across this problem in 2.0.17.

Help and comments still greatly appreciated!

[gohatto]

I have the same problem, and I described it here: http://www.phpbb.com/phpBB/viewtopic.php?t=309017


The solution which you write is right now the only way to make the avatars upload run smoothly. Hope this bug will be fixed professionally by smart guys from phpbb