UBB.threads PHP Forum Software Community Forums UBB.threads Bug Reports Fixed Bugs [FIXED for 7.0.2] Avatar bug?

I run a tight ship on user uploaded avatars due to problems long ago with people using bad avatars. I turned on the stock avatars just because a couple people bothered me to death about it.

Anyhow one of my users says:

"it's quite easy to come around the system and use your own image for the avatar.
I just used Web-developer toolbar in firefox to show the hidden edit fields and I could then edit it's contents and submit the form."

I can confirm this bug.

I see no reference to ALLOW_REMOTE_AVATARS in changebasic.inc.php and no proper checks in newuser.inc.php. The only references I can find where the value ALLOW_REMOTE_AVATARS is checked is to determine whether or not to display the HTML.

Yeah, need to put in a check to make sure the specified URL is local if remove avatars isn't turned on. Will get that fixed for 7.0.2.

Cheers. Maybe remote avatars should always be okay if set by admins/mods through doprofiles.php, tho.