onokazu
onoka****@users*****
2006年 4月 11日 (火) 23:54:06 JST
Index: xoops2jp/html/edituser.php
diff -u xoops2jp/html/edituser.php:1.4 xoops2jp/html/edituser.php:1.4.6.1
--- xoops2jp/html/edituser.php:1.4 Wed Aug 3 21:39:11 2005
+++ xoops2jp/html/edituser.php Tue Apr 11 23:54:06 2006
@@ -1,5 +1,5 @@
<?php
-// $Id: edituser.php,v 1.4 2005/08/03 12:39:11 onokazu Exp $
+// $Id: edituser.php,v 1.4.6.1 2006/04/11 14:54:06 onokazu Exp $
// ------------------------------------------------------------------------ //
// XOOPS - PHP Content Management System //
// Copyright (c) 2000 XOOPS.org //
@@ -24,7 +24,6 @@
// along with this program; if not, write to the Free Software //
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA //
// ------------------------------------------------------------------------ //
-
$xoopsOption['pagetype'] = 'user';
include 'mainfile.php';
include_once XOOPS_ROOT_PATH.'/class/xoopsformloader.php';
@@ -344,9 +343,22 @@
redirect_header('index.php', 3, _US_NOEDITRIGHT);
exit();
}
- $user_avatar = '';
- if (!empty($_POST['user_avatar'])) {
- $user_avatar = trim($_POST['user_avatar']);
+ $avt_handler =& xoops_gethandler('avatar');
+ $user_avatar = 'blank.gif';
+ $user_avatar_object = false;
+ $myts =& MyTextSanitizer::getInstance();
+ if ($user_avatar_req = trim($myts->stripSlashesGPC($_POST['user_avatar']))) {
+ // allow system avatar selection only
+ if (preg_match("/^savt/", $user_avatar_req)) {
+ $criteria =& new CriteriaCompo(new Criteria('avatar_file', addslashes($user_avatar_req)));
+ $criteria->add(new Criteria('avatar_type', 'S'));
+ if ($avatars = $avt_handler->getObjects($criteria)) {
+ if (is_object($avatars[0])) {
+ $user_avatar = $avatars[0]->getVar('avatar_file');
+ $user_avatar_object =& $avatars[0];
+ }
+ }
+ }
}
$user_avatarpath = str_replace("\\", "/", realpath(XOOPS_UPLOAD_PATH.'/'.$user_avatar));
if (0 === strpos($user_avatarpath, XOOPS_UPLOAD_PATH) && is_file($user_avatarpath)) {
@@ -359,9 +371,10 @@
include XOOPS_ROOT_PATH.'/footer.php';
exit();
}
- $avt_handler =& xoops_gethandler('avatar');
- if ($oldavatar && $oldavatar != 'blank.gif' && !preg_match("/^savt/", strtolower($oldavatar))) {
- $avatars =& $avt_handler->getObjects(new Criteria('avatar_file', $oldavatar));
+ if ($oldavatar && $oldavatar != 'blank.gif' && preg_match("/^cavt/", strtolower($oldavatar))) {
+ $criteria =& new CriteriaCompo(new Criteria('avatar_file', addslashes($oldavatar)));
+ $criteria->add(new Criteria('avatar_type', 'C'));
+ $avatars =& $avt_handler->getObjects($criteria);
if (is_object($avatars[0])) {
$avt_handler->delete($avatars[0]);
}
@@ -370,11 +383,8 @@
unlink($oldavatar_path);
}
}
- if ($user_avatar != 'blank.gif') {
- $avatars =& $avt_handler->getObjects(new Criteria('avatar_file', $user_avatar));
- if (is_object($avatars[0])) {
- $avt_handler->addUser($avatars[0]->getVar('avatar_id'), $xoopsUser->getVar('uid'));
- }
+ if (is_object($user_avatar_object)) {
+ $avt_handler->addUser($user_avatar_object->getVar('avatar_id'), $xoopsUser->getVar('uid'));
}
}
redirect_header('userinfo.php?uid='.$uid, 0, _US_PROFUPDATED);