Re: Plugin: Avatar Upload
The error sounds like it’s trying to call the add_action() function when either the file containing the function (wp-functions.php) isn’t included for some reason, or the plugin is being called before it has been included.
I do not know why this might occur, although the fact you are using an integrated WordPress/bbPress combo might be a factor. We really need somebody who knows more about the internals of both system to help.
Anyway, by commenting out the add_action() function all you have done is prevent the plugin from automatically creating an identicon for newly registered users. So, it’s not such a biggie while trying to solve the problem.
Feel free to hack the script however you see fit — I realise I have been rather too strict with the filenames, especially as it is really only a first-stage precaution (the file gets renamed n the server anyway). Also, I believe some browsers add the whole path to the uploaded filename (something I neglected to address).
A solution I am adding to the next version will be to extract the actual filename from the path before checking.
$img_name = basename($img['name']);
Then, the number of necessary characters to allow is greatly reduced. I just prefer to approach it from the other end, block everything except what I explicitly allow. But as I said, feel free to hack it to suit your needs.
I was completely unaware that you could enter a URL into a file input (“browse”) field? You indicate that it forces Windows to download the file, but I am wondering whether it is a browser specific feature and whether it is supposed to work like that? I would not rely on it.
The mime-type comes from the uploaded file in $_FILES which, you are right should not be trusted. I’m experimenting with checking whether the uploaded file is areally an image doing something like imagecreatefromjpeg() – obviously using the appropriate function for the reported file extension (so if it’s all wrong/missing/forged an error will result). Alternatively, a simple solution might be to use getimagesize() (just the one function for all types), which I already use later in the code.
