Opened 16 years ago
Closed 15 years ago
#766 closed defect (bug) (no action required)
defined constant ‘CORE_MAX_FILE_SIZE’ should not be multiplied
Reported by: | jeffsayre | Owned by: | |
---|---|---|---|
Milestone: | 1.1 | Priority: | minor |
Severity: | Version: | ||
Component: | Keywords: | avatar size | |
Cc: |
Description
I need to investigate further to fully understand the potential consequences. I've set this to minor and will up it to major if it turns out that it has bigger ramifications.
Of course, the whole avatar uploading code needs a rewrite. There are better foundational code bases to hook into. For now, the quick fix is to simply remove the multiplication factor.
In bp-core-avatars.php there is this line define( 'CORE_MAX_FILE_SIZE', get_site_option('fileupload_maxk') * 1024 );
The value for fileupload_maxk is pulled from “Site Admin > Options > Max upload file size”
So, if user in backend sets the value to15000 (it is labeled as being in KB), that equals about a 15MB max file size. This reasonable.
Of course, this then means that CORE_MAX_FILE_SIZE = 'fileupload_maxk' *1024 = approx. 15,000 MB
That’s a big avatar. Obviously, overkill.
It does get worse. In bp-groups.php, there is this line $avatar_size = size_format(1024 * CORE_MAX_FILE_SIZE);
So, $avatar_size would equal approx. 15.3 million MB
Fortunately, $avatar_size is not really of importance. This value, once set within bp-groups.php, is not used.
$avatar_size is also set in bp-xprofile-signup.php
$avatar_size = size_format(CORE_MAX_FILE_SIZE);
Here, it is not multiplied by 1024.
$avatar_size is only set in these two places and only used once in bp-xprofile-signup.php
But, the defined constant ‘CORE_MAX_FILE_SIZE’ should not be multiplied.
I've decide that this should remain classified as minor. There is a quick fix. Just remove the multiplication by 1024 coding.
The only place in BuddyPress where CORE_MAX_FILE_SIZE is used as a test in function bp_core_check_avatar_size() found in bp-core-avatars.php
In this line: if ( $filefile?size? > CORE_MAX_FILE_SIZE )
Whether or not there is a problem will depend on what size of an image file that a user is trying to upload for their profile or group avatar. But, even if this test passes, there could still be a problem if the avatar file size exceeds the overall space allocated per upload in “Site Admin > Options > Max upload file size”.
There are a few messages in BuddyPress where the user could be told of this erroneous maximum avatar upload size. This could cause confusion.
So let's say that Max upload in WPMU is set to 5000KB. This equals an approximately 5MB max file size. If a BuddyPress user sees that the maximum file size for avatar uploads is 5,000MB, they could easily upload a file larger than the true limit of 5MB. An error would occur.