Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.

Adding image verification to file upload / qa-wysiwyg-upload.php

+5 votes
1,567 views
asked Oct 30, 2012 in Q2A Core by q2apro
edited Oct 31, 2012 by q2apro

As I found out today, you can rename the extension of any file in q2a v1.5.3 and upload it via CKEditor to the server.

The file catching the upload is qa-wysiwyg-upload.php.

In my opinion, the real file content should be checked to verify that we really deal with an image - and nothing else.

To do this, you need to add the following code after line 101 of qa-wysiwyg-upload.php.

if (empty($message)) {
    $fileImgCheck = getimagesize($file['tmp_name']);
    switch ($fileImgCheck['mime']) {
        case "image/gif":
        case "image/jpeg":
        case "image/png":
            break;
           
        default:
            $message=qa_lang_sub('main/image_not_read', 'GIF, JPG, PNG');
            break;
    }
}

cheers, Kai

 

--

PS: line 83 is only English:
$message='Maximum upload size is '.number_format($maxsize/1048576, 1).'MB';

Maybe we can add a language string here for v1.5.4?

Q2A version: 1.5.3

1 Answer

+1 vote
answered Nov 4, 2012 by gidgreen
Thanks for this. Not sure how that fixed language string slipped through - good catch!

As for verifying the image content, I think it is a good idea as well. I did not do it originally because I did not want to make a dependency on GD if it was not necessary. But the PHP code can simply skip the verification if GD is not installed

So both fixes will appear in Q2A 1.5.4.
commented Nov 5, 2012 by q2apro
thanks for this!
...