BuddyPress Activity Plus
[resolved] Please stop the plugin from renaming image files with a doulbe extension (7 posts)

  1. MickeyRoush
    Posted 2 years ago #

    When users upload a file it goes to the wp-content/uploads/bpfb directory and renames it something like:


    For security reasons, I do not allow, nor do I recommend anyone else allow any file to be uploaded or have a file in their uploads directory that has more than one literal period. Why? There's too much of a security risk of someone uploading a file like:


    With the right tools and access, if that was an actual PHP file, it's possible that someone with malicious intent go use it maliciously. There for, anything that is uploaded on any of my sites and anyone I help, that has more than one literal period cannot be accessed from HTTP.

    See these links:

    If there is no specific reason that you're using a literal period there, it might be a better idea to use just a hyphen or underscore instead.


  2. MickeyRoush
    Posted 2 years ago #

    To make it a bit easier to understand, it would be better if these:


    were these:

  3. Hi @MickeyRoush,

    Thanks for notifying.

    I have notified this to the developer and it may be fixed in the future version of plugin if found valid.


  4. MickeyRoush
    Posted 2 years ago #

    Sorry, not sure what you mean about it being valid. Validation was already given. This is NOT a vulnerability with your plugin, it just means that since you're including a literal period when renaming files, that users who are trying to secure their uploads directory will not be able to use the upload feature, because anything that is deemed a double extension will throw a 403 Forbidden or whatever they have set to protect their uploads directory.

    In other words, the images will never been seen. I imagine if they're using something like mod_security that could prevent the images from showing as well.

    All you need do is make sure that literal period, as I mentioned above is a different character, like an underscore. I looked at the file (images_tag_template.php) but I'm not sure exactly where this is being done. If you can point me to the correct location, I would be happy to test it for you.

  5. David
    WPMU DEV Support Staff
    Posted 2 years ago #

    Hi @MickeyRoush,

    Interesting point, thanks for bringing it up. While the developer looks into the matter, you could make the following quick edit the plugin to do as you've requested.

    In the following file:

    You'll see this on line 56:
    $pfx = $bp->loggedin_user->id . '_' . preg_replace('/ /', '', microtime());

    You can change that to the following:
    $pfx = $bp->loggedin_user->id . '_' . preg_replace('/ /', '', str_replace(".","_",microtime()));

    Basically, it's just replacing the . in the microtime() function output to an underscore.

    Hope that helps!


  6. MickeyRoush
    Posted 2 years ago #

    Yes, I believe that's what I was looking for. I'll try to test it here soon. Thanks again.

  7. David
    WPMU DEV Support Staff
    Posted 2 years ago #

    Sounds great! I tested it myself before posting, worked a charm over here. Just let us know how that goes for ya though! :)

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • BuddyPress Activity Plus
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic