Merged r6684:6694 from 1.7 branch to trunk (pages plugin was manually merged due to standardization of code in trunk but not branch)

git-svn-id: http://code.elgg.org/elgg/trunk@6848 36083f99-b078-4883-b0ff-0f9b5a30f544

1 files changed, 3 insertions, 17 deletions

diff --git a/mod/profile/icondirect.php b/mod/profile/icondirect.php
index 8a46786ab..c84955fa5 100644
--- a/mod/profile/icondirect.php
+++ b/mod/profile/icondirect.php
@@ -16,8 +16,6 @@ require_once(dirname(dirname(dirname(__FILE__))). '/engine/settings.php');
 
 global $CONFIG;
 
-
-$username = $_GET['username'];
 $joindate = (int)$_GET['joindate'];
 $guid = (int)$_GET['guid'];
 
@@ -26,20 +24,6 @@ if (!in_array($size,array('large','medium','small','tiny','master','topbar'))) {
 	$size = "medium";
 }
 
-// security check on username string
-if (	(strpos($username, '/')!==false) ||
-		(strpos($username, '\\')!==false) ||
-		(strpos($username, '"')!==false) ||
-		(strpos($username, '\'')!==false) ||
-		(strpos($username, '*')!==false) ||
-		(strpos($username, '&')!==false) ||
-		(strpos($username, ' ')!==false) ) {
-	// these characters are not allowed in usernames
-	exit;
-}
-
-
-
 $mysql_dblink = @mysql_connect($CONFIG->dbhost,$CONFIG->dbuser,$CONFIG->dbpass, true);
 if ($mysql_dblink) {
 	if (@mysql_select_db($CONFIG->dbname,$mysql_dblink)) {
@@ -65,7 +49,7 @@ if ($mysql_dblink) {
 
 			// first try to read icon directly
 			$user_path = date('Y/m/d/', $joindate) . $guid;
-			$filename = $dataroot . $user_path . "/profile/" . $username . $size . ".jpg";
+			$filename = "$dataroot$user_path/profile/{$guid}{$size}.jpg";
 			$contents = @file_get_contents($filename);
 			if (!empty($contents)) {
 				header("Content-type: image/jpeg");
@@ -86,4 +70,6 @@ if ($mysql_dblink) {
 
 // simplecache is not turned on or something went wrong so load engine and try that way
 require_once(dirname(dirname(dirname(__FILE__))) . "/engine/start.php");
+$user = get_entity($guid);
+set_input('username', $user->username);
 require_once(dirname(__FILE__).'/icon.php');