Fix for hardcoded uploads dir in User Avatar plugin

There are a couple more hardcoded URLs too, in user_avatar_core_avatar_upload_path() and user_avatar_core_avatar_url().

In user_avatar_delete() the site_url('/wp-admin') line should ideally use admin_url.

These minor points aside, it’s a really great plugin, easily the best one out there for allowing users to upload their own images.

Here’s a more complete patch:

https://gist.github.com/3899757

Lumpysimon – I would highly recommend reverting your ‘dir’ query variable patch. The patch would introduce a terrible vulnerability to your site. One of the first things timthumb does when it starts is to clean the cache. It sounds like you are allowing the cache directory to be configurable via your ‘dir’ query parm. Depending on how your file permissions are set up, someone could potentially cause your entire site (or worse) to be deleted by passing something like ‘dir=../../../’

I’m not sure what the intention is with putting the timthumb cache in the uploads folder, but as far as I can tell, it’s unnecessary. Taking out the FILE_CACHE_DIRECTORY define from timthumb-config.php will cause the default to be used (e.g. plugins/user-avatar/cache/) The files in the cache folder don’t even need to be publicly exposed since they are always processed by the timthumb code before they are returned anyway. This was part of the recent timthumb exploit. PHP code was being uploaded as “image” files and stored in the timthumb cache where it could be executed simply by visiting the URL. I’ve also taken an extra step by adding an .htaccess to the cache/ dir with “Deny From All” in it.

@dklawson thanks for the heads-up & patch, i did think that wasn’t secure so i don’t have it running on any live sites.