Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+5 votes
1.7k views
in Q2A Core by
edited by

As I found out today, you can rename the extension of any file in q2a v1.5.3 and upload it via CKEditor to the server.

The file catching the upload is qa-wysiwyg-upload.php.

In my opinion, the real file content should be checked to verify that we really deal with an image - and nothing else.

To do this, you need to add the following code after line 101 of qa-wysiwyg-upload.php.

if (empty($message)) {
    $fileImgCheck = getimagesize($file['tmp_name']);
    switch ($fileImgCheck['mime']) {
        case "image/gif":
        case "image/jpeg":
        case "image/png":
            break;
           
        default:
            $message=qa_lang_sub('main/image_not_read', 'GIF, JPG, PNG');
            break;
    }
}

cheers, Kai

 

--

PS: line 83 is only English:
$message='Maximum upload size is '.number_format($maxsize/1048576, 1).'MB';

Maybe we can add a language string here for v1.5.4?

Q2A version: 1.5.3

1 Answer

+1 vote
by
Thanks for this. Not sure how that fixed language string slipped through - good catch!

As for verifying the image content, I think it is a good idea as well. I did not do it originally because I did not want to make a dependency on GD if it was not necessary. But the PHP code can simply skip the verification if GD is not installed

So both fixes will appear in Q2A 1.5.4.
by
thanks for this!
...