From c6499545afd2010ff26779a61b8df0fda96a236a Mon Sep 17 00:00:00 2001
From: "glix08@gmail.com"
 <glix08@gmail.com@a8ac35ab-4ca4-ca47-4c2d-a49a94f06293>
Date: Sun, 12 Jan 2014 20:28:36 +0000
Subject: [PATCH] r555
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Фикс http://torrentpier.me/threads/10876/ + удаление возможности загрузки аватарки по удаленной ссылке и/или использования ссылки (удаленной картинки) в качестве аватарки, из-за обнаруженной уязвимости в механизме валидации передаваемых данных, что в теории может привести к взлому трекера, путем загрузки модифицированного изображения, содержащего вредоносный код. git-svn-id: https://torrentpier2.googlecode.com/svn/trunk@555 a8ac35ab-4ca4-ca47-4c2d-a49a94f06293
---
 ReadMe.txt                                   |   1 -
 install/sql/mysql.sql                        |   1 -
 upload/admin/admin_board.php                 |   1 -
 upload/config.php                            |   4 +-
 upload/includes/functions.php                |   3 -
 upload/includes/init_bb.php                  |   2 +-
 upload/includes/ucp/usercp_avatar.php        | 135 +++---------------
 upload/includes/ucp/usercp_register.php      | 138 ++++++++-----------
 upload/language/lang_english/lang_admin.php  |   2 -
 upload/language/lang_english/lang_main.php   |   6 -
 upload/language/lang_russian/lang_admin.php  |   2 -
 upload/language/lang_russian/lang_main.php   |   6 -
 upload/templates/admin/admin_board.tpl       |   7 -
 upload/templates/default/usercp_register.tpl |  14 +-
 14 files changed, 85 insertions(+), 237 deletions(-)

diff --git a/ReadMe.txt b/ReadMe.txt
index 765e8bd38..267e86441 100644
--- a/ReadMe.txt
+++ b/ReadMe.txt
@@ -30,7 +30,6 @@
 - images/ranks
 - images/smiles
 - log
-- pictures
 - triggers
 
 ************************************
diff --git a/install/sql/mysql.sql b/install/sql/mysql.sql
index faab82a0c..74ae923ef 100644
--- a/install/sql/mysql.sql
+++ b/install/sql/mysql.sql
@@ -542,7 +542,6 @@ CREATE TABLE IF NOT EXISTS `bb_config` (
 
 INSERT INTO `bb_config` VALUES ('allow_autologin', '1');
 INSERT INTO `bb_config` VALUES ('allow_avatar_local', '1');
-INSERT INTO `bb_config` VALUES ('allow_avatar_remote', '0');
 INSERT INTO `bb_config` VALUES ('allow_avatar_upload', '1');
 INSERT INTO `bb_config` VALUES ('allow_bbcode', '1');
 INSERT INTO `bb_config` VALUES ('allow_namechange', '0');
diff --git a/upload/admin/admin_board.php b/upload/admin/admin_board.php
index 67068656d..1f0623ce4 100644
--- a/upload/admin/admin_board.php
+++ b/upload/admin/admin_board.php
@@ -176,7 +176,6 @@ switch($mode)
 			'SIG_SIZE' => $new['max_sig_chars'],
 			'ALLOW_NAMECHANGE' => ($new['allow_namechange']) ? true : false,
 			'ALLOW_AVATARS_LOCAL' => ($new['allow_avatar_local']) ? true : false,
-			'ALLOW_AVATAR_REMOTE' => ($new['allow_avatar_remote']) ? true : false,
 			'ALLOW_AVATAR_UPLOAD' => ($new['allow_avatar_upload']) ? true : false,
 			'AVATAR_FILESIZE' => $new['avatar_filesize'],
 			'AVATAR_MAX_HEIGHT' => $new['avatar_max_height'],
diff --git a/upload/config.php b/upload/config.php
index ba414f63c..dbdc21eb0 100644
--- a/upload/config.php
+++ b/upload/config.php
@@ -55,8 +55,8 @@ $domain_name = (!empty($_SERVER['SERVER_NAME'])) ? $_SERVER['SERVER_NAME'] : $do
 
 // Increase number of revision after update
 $bb_cfg['tp_version'] = '2.5 (unstable)';
-$bb_cfg['tp_release_date'] = '12-01-2014';
-$bb_cfg['tp_release_state'] = 'R554';
+$bb_cfg['tp_release_date'] = '13-01-2014';
+$bb_cfg['tp_release_state'] = 'R555';
 
 // Database
 $charset  = 'utf8';
diff --git a/upload/includes/functions.php b/upload/includes/functions.php
index 896d10175..0c5d6df4a 100644
--- a/upload/includes/functions.php
+++ b/upload/includes/functions.php
@@ -2692,9 +2692,6 @@ function get_avatar ($avatar, $type, $allow_avatar = true, $height = '', $width
 			case USER_AVATAR_UPLOAD:
 				$user_avatar = ( $bb_cfg['allow_avatar_upload'] ) ? '<img src="'. $bb_cfg['avatar_path'] .'/'. $avatar .'" alt="" border="0" '. $height .' '. $width .'/>' : '';
 				break;
-			case USER_AVATAR_REMOTE:
-				$user_avatar = ( $bb_cfg['allow_avatar_remote'] ) ? '<img src="'. $avatar .'" alt="" border="0" onload="imgFit(this, 100);" onClick="return imgFit(this, 100);" '. $height .' '. $width .'/>' : '';
-				break;
 			case USER_AVATAR_GALLERY:
 				$user_avatar = ( $bb_cfg['allow_avatar_local'] ) ? '<img src="'. $bb_cfg['avatar_gallery_path'] .'/'. $avatar .'" alt="" border="0" '. $height .' '. $width .'/>' : '';
 				break;
diff --git a/upload/includes/init_bb.php b/upload/includes/init_bb.php
index be7618528..27fdd4357 100644
--- a/upload/includes/init_bb.php
+++ b/upload/includes/init_bb.php
@@ -147,7 +147,7 @@ define('USER_ACTIVATION_ADMIN', 2);
 
 define('USER_AVATAR_NONE',    0);
 define('USER_AVATAR_UPLOAD',  1);
-define('USER_AVATAR_REMOTE',  2);
+define('USER_AVATAR_REMOTE',  2); // не ипользуется
 define('USER_AVATAR_GALLERY', 3);
 
 // Group settings
diff --git a/upload/includes/ucp/usercp_avatar.php b/upload/includes/ucp/usercp_avatar.php
index e5d48713c..f8cf3445a 100644
--- a/upload/includes/ucp/usercp_avatar.php
+++ b/upload/includes/ucp/usercp_avatar.php
@@ -2,7 +2,7 @@
 
 if (!defined('IN_FORUM')) die("Hacking attempt");
 
-function check_image_type(&$type, &$errors)
+function check_image_type (&$type, &$errors)
 {
 	global $lang;
 
@@ -32,7 +32,7 @@ function check_image_type(&$type, &$errors)
 	return false;
 }
 
-function user_avatar_delete($avatar_type, $avatar_file)
+function user_avatar_delete ($avatar_type, $avatar_file)
 {
 	global $bb_cfg;
 
@@ -48,7 +48,7 @@ function user_avatar_delete($avatar_type, $avatar_file)
 	return array('user_avatar' => '', 'user_avatar_type' => USER_AVATAR_NONE);
 }
 
-function user_avatar_gallery($mode, &$errors, $avatar_filename, $avatar_category)
+function user_avatar_gallery ($mode, &$errors, $avatar_filename, $avatar_category)
 {
 	global $bb_cfg;
 
@@ -74,28 +74,7 @@ function user_avatar_gallery($mode, &$errors, $avatar_filename, $avatar_category
 	}
 }
 
-function user_avatar_url($mode, &$errors, $avatar_filename)
-{
-	global $lang;
-
-	if ( !preg_match('#^(http)|(ftp):\/\/#i', $avatar_filename) )
-	{
-		$avatar_filename = 'http://' . $avatar_filename;
-	}
-
-	$avatar_filename = substr($avatar_filename, 0, 100);
-
-	if ( !preg_match("#^((ht|f)tp://)([^ \?&=\#\"\n\r\t<]*?(\.(jpg|jpeg|gif|png))$)#is", $avatar_filename) )
-	{
-		$errors[] = $lang['WRONG_REMOTE_AVATAR_FORMAT'];
-		return;
-	}
-
-	return array('user_avatar' => DB()->escape($avatar_filename), 'user_avatar_type' => USER_AVATAR_REMOTE);
-
-}
-
-function user_avatar_upload($mode, $avatar_mode, &$current_avatar, &$current_type, &$errors, $avatar_filename, $avatar_realname, $avatar_filesize, $avatar_filetype)
+function user_avatar_upload ($mode, $avatar_mode, &$current_avatar, &$current_type, &$errors, $avatar_filename, $avatar_realname, $avatar_filesize, $avatar_filetype)
 {
 	global $bb_cfg, $lang;
 
@@ -104,69 +83,7 @@ function user_avatar_upload($mode, $avatar_mode, &$current_avatar, &$current_typ
 	$width = $height = 0;
 	$type = '';
 
-	if ( $avatar_mode == 'remote' && preg_match('/^(http:\/\/)?([\w\-\.]+)\:?([0-9]*)\/([^ \?&=\#\"\n\r\t<]*?(\.(jpg|jpeg|gif|png)))$/', $avatar_filename, $url_ary) )
-	{
-		if ( empty($url_ary[4]) )
-		{
-			$errors[] = $lang['INCOMPLETE_URL'];
-			return;
-		}
-
-		$base_get = '/' . $url_ary[4];
-		$port = ( !empty($url_ary[3]) ) ? $url_ary[3] : 80;
-
-		if ( !($fsock = @fsockopen($url_ary[2], $port, $errno, $errstr)) )
-		{
-			$errors[] = $lang['NO_CONNECTION_URL'];
-			return;
-		}
-
-		@fputs($fsock, "GET $base_get HTTP/1.1\r\n");
-		@fputs($fsock, "HOST: " . $url_ary[2] . "\r\n");
-		@fputs($fsock, "Connection: close\r\n\r\n");
-
-		$avatar_data = '';
-		while( !@feof($fsock) )
-		{
-			$avatar_data .= @fread($fsock, $bb_cfg['avatar_filesize']);
-		}
-		@fclose($fsock);
-
-		if (!preg_match('#Content-Length\: ([0-9]+)[^ /][\s]+#i', $avatar_data, $file_data1) || !preg_match('#Content-Type\: image/[x\-]*([a-z]+)[\s]+#i', $avatar_data, $file_data2))
-		{
-			$errors[] = $lang['FILE_NO_DATA'];
-			return;
-		}
-
-		$avatar_filesize = $file_data1[1];
-		$avatar_filetype = $file_data2[1];
-
-		if ( !$errors && $avatar_filesize > 0 && $avatar_filesize < $bb_cfg['avatar_filesize'] )
-		{
-			$avatar_data = substr($avatar_data, strlen($avatar_data) - $avatar_filesize, $avatar_filesize);
-
-		//$tmp_path = ( !@$ini_val('safe_mode') ) ? '/tmp' : './' . $bb_cfg['avatar_path'] . '/tmp';
-			$tmp_path = ini_get('upload_tmp_dir');
-			$tmp_filename = tempnam($tmp_path, uniqid(rand()) . '-');
-
-			$fptr = @fopen($tmp_filename, 'wb');
-			$bytes_written = @fwrite($fptr, $avatar_data, $avatar_filesize);
-			@fclose($fptr);
-
-			if ( $bytes_written != $avatar_filesize )
-			{
-				@unlink($tmp_filename);
-				message_die(GENERAL_ERROR, 'Could not write avatar file to local storage. Please contact the board administrator with this message', '', __LINE__, __FILE__);
-			}
-
-			list($width, $height, $type) = @getimagesize($tmp_filename);
-		}
-		else
-		{
-			$errors[] = sprintf($lang['AVATAR_FILESIZE'], round($bb_cfg['avatar_filesize'] / 1024));
-		}
-	}
-	else if ( ( file_exists(@phpbb_realpath($avatar_filename)) ) && preg_match('/\.(jpg|jpeg|gif|png)$/i', $avatar_realname) )
+	if ( ( file_exists(@phpbb_realpath($avatar_filename)) ) && preg_match('/\.(jpg|jpeg|gif|png)$/i', $avatar_realname) )
 	{
 		if ( $avatar_filesize <= $bb_cfg['avatar_filesize'] && $avatar_filesize > 0 )
 		{
@@ -234,40 +151,32 @@ function user_avatar_upload($mode, $avatar_mode, &$current_avatar, &$current_typ
 			user_avatar_delete($current_type, $current_avatar);
 		}
 
-		if( $avatar_mode == 'remote' )
+		if ( @$ini_val('open_basedir') != '' )
 		{
-			@copy($tmp_filename, './' . $bb_cfg['avatar_path'] . "/$new_filename");
-			@unlink($tmp_filename);
+			if ( @phpversion() < '4.0.3' )
+			{
+				message_die(GENERAL_ERROR, 'open_basedir is set and your PHP version does not allow move_uploaded_file', '', __LINE__, __FILE__);
+			}
+
+			$move_file = 'move_uploaded_file';
 		}
 		else
 		{
-			if ( @$ini_val('open_basedir') != '' )
-			{
-				if ( @phpversion() < '4.0.3' )
-				{
-					message_die(GENERAL_ERROR, 'open_basedir is set and your PHP version does not allow move_uploaded_file', '', __LINE__, __FILE__);
-				}
-
-				$move_file = 'move_uploaded_file';
-			}
-			else
-			{
-				$move_file = 'copy';
-			}
-
-			if (!is_uploaded_file($avatar_filename))
-			{
-				message_die(GENERAL_ERROR, 'Unable to upload file', '', __LINE__, __FILE__);
-			}
-			$move_file($avatar_filename, './' . $bb_cfg['avatar_path'] . "/$new_filename");
+			$move_file = 'copy';
 		}
 
+		if (!is_uploaded_file($avatar_filename))
+		{
+			message_die(GENERAL_ERROR, 'Unable to upload file', '', __LINE__, __FILE__);
+		}
+		$move_file($avatar_filename, './' . $bb_cfg['avatar_path'] . "/$new_filename");
+
 		@chmod('./' . $bb_cfg['avatar_path'] . "/$new_filename", 0777);
-	    return array('user_avatar' => $new_filename, 'user_avatar_type' => USER_AVATAR_UPLOAD);
+		return array('user_avatar' => $new_filename, 'user_avatar_type' => USER_AVATAR_UPLOAD);
 	}
 	else
 	{
 		$errors[] = sprintf($lang['AVATAR_IMAGESIZE'], $bb_cfg['avatar_max_width'], $bb_cfg['avatar_max_height']);
-	    return '';
+		return '';
 	}
-}
+}
\ No newline at end of file
diff --git a/upload/includes/ucp/usercp_register.php b/upload/includes/ucp/usercp_register.php
index 9971c3e99..b0fcfe5eb 100644
--- a/upload/includes/ucp/usercp_register.php
+++ b/upload/includes/ucp/usercp_register.php
@@ -23,7 +23,7 @@ $can_register = (IS_GUEST || IS_ADMIN);
 
 $submit   = !empty($_POST['submit']);
 $errors   = array();
-$adm_edit = false;     // редактирование админом чужого профиля
+$adm_edit = false; // редактирование админом чужого профиля
 
 require(INC_DIR .'bbcode.php');
 require(INC_DIR .'functions_validate.php');
@@ -47,7 +47,7 @@ switch ($mode)
 		}
 		if (!IS_ADMIN)
 		{
-			// Ограничение по ипу
+			// Ограничение по ip
 			if($bb_cfg['unique_ip'])
 			{
 				if($users = DB()->fetch_row("SELECT user_id, username FROM ". BB_USERS ." WHERE user_reg_ip = '". USER_IP ."' LIMIT 1"))
@@ -67,13 +67,7 @@ switch ($mode)
 				{
 					bb_die($lang['REGISTERED_IN_TIME']);
 				}
-
 			}
-			// Вывод начальной страницы с условиями регистрации
-			/*if (empty($_POST['reg_agreed']))
-			{
-				print_page('agreement.tpl');
-			}*/
 		}
 
 		// field => can_edit
@@ -110,7 +104,7 @@ switch ($mode)
 			'user_active'      => IS_ADMIN,
 			'username'         => (IS_ADMIN || $bb_cfg['allow_namechange']),
 			'user_password'    => true,
-			'user_email'       => true,      // должен быть после user_password
+			'user_email'       => true, // должен быть после user_password
 			'user_lang'        => true,
 			'user_gender'      => true,
 			'user_birthday'    => true,
@@ -154,19 +148,13 @@ switch ($mode)
 			bb_die($lang['PROFILE_NOT_FOUND']);
 		}
 
-		if (!bf($pr_data['user_opt'], 'user_opt', 'allow_avatar') && ($bb_cfg['allow_avatar_upload'] || $bb_cfg['allow_avatar_local'] || $bb_cfg['allow_avatar_remote']))
+		if (!bf($pr_data['user_opt'], 'user_opt', 'allow_avatar') && ($bb_cfg['allow_avatar_upload'] || $bb_cfg['allow_avatar_local']))
 		{
 			$template->assign_block_vars('switch_avatar_block', array());
 
 			if ($bb_cfg['allow_avatar_upload'] && file_exists(@phpbb_realpath('./' . $bb_cfg['avatar_path'])))
 			{
 				$template->assign_block_vars('switch_avatar_block.switch_avatar_local_upload', array());
-				$template->assign_block_vars('switch_avatar_block.switch_avatar_remote_upload', array());
-			}
-
-			if ($bb_cfg['allow_avatar_remote'])
-			{
-				$template->assign_block_vars('switch_avatar_block.switch_avatar_remote_link', array());
 			}
 
 			if ($bb_cfg['allow_avatar_local'] && file_exists(@phpbb_realpath('./' . $bb_cfg['avatar_gallery_path'])))
@@ -178,7 +166,7 @@ switch ($mode)
 		{
 			$template->assign_block_vars('not_avatar_block', array());
 		}
-        break;
+		break;
 
 	default:
 		trigger_error("invalid mode: $mode", E_USER_ERROR);
@@ -209,7 +197,7 @@ foreach ($profile_fields as $field => $can_edit)
 		$active = isset($_POST['user_active']) ? (int) $_POST['user_active'] : $pr_data['user_active'];
 		if ($submit && $adm_edit)
 		{
-            $pr_data['user_active'] = $active;
+			$pr_data['user_active'] = $active;
 			$db_data['user_active'] = $active;
 		}
 		break;
@@ -218,7 +206,7 @@ foreach ($profile_fields as $field => $can_edit)
 	*  Имя (edit, reg)
 	*/
 	case 'username':
-	    $username = !empty($_POST['username']) ? clean_username($_POST['username']) : $pr_data['username'];
+		$username = !empty($_POST['username']) ? clean_username($_POST['username']) : $pr_data['username'];
 
 		if ($submit)
 		{
@@ -227,7 +215,7 @@ foreach ($profile_fields as $field => $can_edit)
 			{
 				$errors[] = $err;
 			}
-			if($can_edit && $username != $pr_data['username'] || $mode == 'register')
+			if ($can_edit && $username != $pr_data['username'] || $mode == 'register')
 			{
 				$pr_data['username'] = $username;
 				$db_data['username'] = $username;
@@ -284,7 +272,6 @@ foreach ($profile_fields as $field => $can_edit)
 				}
 			}
 		}
-
 		break;
 
 	/**
@@ -302,7 +289,7 @@ foreach ($profile_fields as $field => $can_edit)
 				}
 				$db_data['user_email'] = $email;
 			}
-			else if ($email != $pr_data['user_email'])  // если смена мейла юзером
+			else if ($email != $pr_data['user_email']) // если смена мейла юзером
 			{
 				if (!$cur_pass_valid)
 				{
@@ -330,7 +317,7 @@ foreach ($profile_fields as $field => $can_edit)
 		$user_lang = isset($_POST['user_lang']) ? (string) $_POST['user_lang'] : $pr_data['user_lang'];
 		if ($submit && ($user_lang != $pr_data['user_lang'] || $mode == 'register'))
 		{
-            $pr_data['user_lang'] = $user_lang;
+			$pr_data['user_lang'] = $user_lang;
 			$db_data['user_lang'] = $user_lang;
 		}
 		break;
@@ -357,7 +344,7 @@ foreach ($profile_fields as $field => $can_edit)
 		$gender = isset($_POST['user_gender']) ? (int) $_POST['user_gender'] : $pr_data['user_gender'];
 		if ($submit && $gender != $pr_data['user_gender'])
 		{
-            $pr_data['user_gender'] = $gender;
+			$pr_data['user_gender'] = $gender;
 			$db_data['user_gender'] = $gender;
 		}
 		$tp_data['USER_GENDER'] = build_select('user_gender', array_flip($lang['GENDER_SELECT']), $pr_data['user_gender']);
@@ -384,7 +371,7 @@ foreach ($profile_fields as $field => $can_edit)
 			else
 			{
 				$birthday = "$b_year-$b_md-$b_day";
-				$next_birthday_greeting = (date('md') < $b_md . (($b_day <= 9) ? '0' : '') . $b_day) ? date('Y') : date('Y')+1;
+				$next_birthday_greeting = (date('md') < $b_md . (($b_day <= 9) ? '0' : '') . $b_day) ? date('Y') : date('Y') + 1;
 			}
 		}
 		else
@@ -393,7 +380,7 @@ foreach ($profile_fields as $field => $can_edit)
 			$next_birthday_greeting = 0;
 		}
 
-        if ($submit && $birthday != $pr_data['user_birthday'])
+		if ($submit && $birthday != $pr_data['user_birthday'])
 		{
 			$pr_data['user_birthday'] = $birthday;
 			$db_data['user_birthday'] = $birthday;
@@ -408,9 +395,9 @@ foreach ($profile_fields as $field => $can_edit)
 		$user_opt = $pr_data['user_opt'];
 
 		$update_user_opt = array(
-		    'viewemail'        => true,
-		    'allow_viewonline' => true,
-		    'notify'           => true,
+			'viewemail'        => true,
+			'allow_viewonline' => true,
+			'notify'           => true,
 			'notify_pm'        => true,
 			'hide_porn_forums' => true,
 			'allow_dls'        => true,
@@ -556,11 +543,11 @@ foreach ($profile_fields as $field => $can_edit)
 		break;
 
 	case 'user_avatar_type':
-		if(isset($_POST['avatargallery']) && !$errors)
+		if (isset($_POST['avatargallery']) && !$errors)
 		{
 			$category = (!empty($_POST['avatarcategory'])) ? htmlspecialchars($_POST['avatarcategory']) : '';
 
-	        $dir = @opendir($bb_cfg['avatar_gallery_path']);
+			$dir = @opendir($bb_cfg['avatar_gallery_path']);
 
 			$avatar_images = array();
 			while($file = @readdir($dir))
@@ -571,15 +558,15 @@ foreach ($profile_fields as $field => $can_edit)
 
 					$avatar_row_count = 0;
 					$avatar_col_count = 0;
-					while($sub_file = @readdir($sub_dir))
+					while ($sub_file = @readdir($sub_dir))
 					{
-						if(preg_match('/(\.gif$|\.png$|\.jpg|\.jpeg)$/is', $sub_file))
+						if (preg_match('/(\.gif$|\.png$|\.jpg|\.jpeg)$/is', $sub_file))
 						{
 							$avatar_images[$file][$avatar_row_count][$avatar_col_count] = $sub_file;
 							$avatar_name[$file][$avatar_row_count][$avatar_col_count] = ucfirst(str_replace("_", " ", preg_replace('/^(.*)\..*$/', '\1', $sub_file)));
 
 							$avatar_col_count++;
-							if($avatar_col_count == 5)
+							if ($avatar_col_count == 5)
 							{
 								$avatar_row_count++;
 								$avatar_col_count = 0;
@@ -612,7 +599,7 @@ foreach ($profile_fields as $field => $can_edit)
 			$s_categories .= '</select>';
 
 			$s_colspan = 0;
-			for($i = 0; $i < @count($avatar_images[$category]); $i++)
+			for ($i = 0; $i < @count($avatar_images[$category]); $i++)
 			{
 				$template->assign_block_vars('avatar_row', array());
 
@@ -633,6 +620,9 @@ foreach ($profile_fields as $field => $can_edit)
 
 			$s_hidden_vars = '<input type="hidden" name="avatarcatname" value="' . $category . '" />';
 
+			$u_id = (isset($_GET['u']) && intval($_GET['u'])) ? intval($_GET['u']) : 0;
+			$mode = (IS_ADMIN && $u_id) ? $mode . '&u=' . $u_id : $mode;
+
 			$template->assign_vars(array(
 				'S_CATEGORY_SELECT' => $s_categories,
 				'S_COLSPAN' => $s_colspan,
@@ -645,9 +635,7 @@ foreach ($profile_fields as $field => $can_edit)
 
 		$user_avatar_local = (isset($_POST['avatarselect']) && !empty($_POST['submitavatar']) && $bb_cfg['allow_avatar_local']) ? htmlspecialchars($_POST['avatarselect']) : ((isset($_POST['avatarlocal'])) ? htmlspecialchars($_POST['avatarlocal']) : '');
 		$user_avatar_category = (isset($_POST['avatarcatname']) && $bb_cfg['allow_avatar_local']) ? htmlspecialchars($_POST['avatarcatname']) : '';
-
-		$user_avatar_remoteurl = (!empty($_POST['avatarremoteurl'])) ? trim(htmlspecialchars($_POST['avatarremoteurl'])) : '';
-		$user_avatar_upload = (!empty($_POST['avatarurl'])) ? trim($_POST['avatarurl']) : ((!empty($_FILES['avatar']) && $_FILES['avatar']['tmp_name'] != "none") ? $_FILES['avatar']['tmp_name'] : '');
+		$user_avatar_upload = (!empty($_FILES['avatar']) && $_FILES['avatar']['tmp_name'] != "none") ? $_FILES['avatar']['tmp_name'] : '';
 		$user_avatar_name = (!empty($_FILES['avatar']['name'])) ? $_FILES['avatar']['name'] : '';
 		$user_avatar_size = (!empty($_FILES['avatar']['size'])) ? $_FILES['avatar']['size'] : 0;
 		$user_avatar_filetype = (!empty($_FILES['avatar']['type'])) ? $_FILES['avatar']['type'] : '';
@@ -677,41 +665,35 @@ foreach ($profile_fields as $field => $can_edit)
 		{
 			if (!empty($user_avatar_upload))
 			{
-				$avatar_mode = (empty($user_avatar_name)) ? 'remote' : 'local';
-				$avatar = user_avatar_upload($mode, $avatar_mode, $pr_data['user_avatar'], $pr_data['user_avatar_type'], $errors, $user_avatar_upload, $user_avatar_name, $user_avatar_size, $user_avatar_filetype);
+				$avatar = user_avatar_upload($mode, 'local', $pr_data['user_avatar'], $pr_data['user_avatar_type'], $errors, $user_avatar_upload, $user_avatar_name, $user_avatar_size, $user_avatar_filetype);
 			}
 			else if (!empty($user_avatar_name))
 			{
 				$errors[] = sprintf($lang['AVATAR_FILESIZE'], round($bb_cfg['avatar_filesize'] / 1024));
 			}
 		}
-		else if ($user_avatar_remoteurl != '' && $bb_cfg['allow_avatar_remote'])
-		{
-			user_avatar_delete($pr_data['user_avatar_type'], $pr_data['user_avatar']);
-			$avatar = user_avatar_url($mode, $errors, $user_avatar_remoteurl);
-		}
 		else if ($user_avatar_local != '' && $bb_cfg['allow_avatar_local'])
 		{
 			user_avatar_delete($pr_data['user_avatar_type'], $pr_data['user_avatar']);
 			$avatar = user_avatar_gallery($mode, $errors, $user_avatar_local, $user_avatar_category);
 		}
 
-        if($avatar)
-        {
-        	$user_avatar = $avatar['user_avatar'];
-        	$user_avatar_type = $avatar['user_avatar_type'];
-            $hidden_vars = '';
-        	foreach($_POST as $name => $key)
-        	{
-	        	$hidden_vars .= '<input type="hidden" name="'. $name .'" value="'. $key .'" />';
-        	}
-        	$tp_data['USER_AVATAR'] = get_avatar($user_avatar, $user_avatar_type) . $hidden_vars;
-        }
-        else
-        {
-        	$tp_data['USER_AVATAR'] = get_avatar($pr_data['user_avatar'], $pr_data['user_avatar_type'], !bf($pr_data['user_opt'], 'user_opt', 'allow_avatar'));
-        }
-	    if ($submit && !bf($pr_data['user_opt'], 'user_opt', 'allow_avatar'))
+		if ($avatar)
+		{
+			$user_avatar = $avatar['user_avatar'];
+			$user_avatar_type = $avatar['user_avatar_type'];
+			$hidden_vars = '';
+			foreach ($_POST as $name => $key)
+			{
+				$hidden_vars .= '<input type="hidden" name="'. $name .'" value="'. $key .'" />';
+			}
+			$tp_data['USER_AVATAR'] = get_avatar($user_avatar, $user_avatar_type) . $hidden_vars;
+		}
+		else
+		{
+			$tp_data['USER_AVATAR'] = get_avatar($pr_data['user_avatar'], $pr_data['user_avatar_type'], !bf($pr_data['user_opt'], 'user_opt', 'allow_avatar'));
+		}
+		if ($submit && !bf($pr_data['user_opt'], 'user_opt', 'allow_avatar'))
 		{
 			if ($user_avatar != $pr_data['user_avatar'] || $user_avatar_type != $pr_data['user_avatar_type'])
 			{
@@ -751,17 +733,17 @@ foreach ($profile_fields as $field => $can_edit)
 	}
 }
 
-if($bb_cfg['birthday_enabled'] && $mode != 'register')
+if ($bb_cfg['birthday_enabled'] && $mode != 'register')
 {
 	$days = array($lang['DELTA_TIME']['INTERVALS']['mday'][0] => 0);
-	for($i=1; $i<=31; $i++)
+	for ($i = 1; $i <= 31; $i++)
 	{
 		$days[$i] = $i;
 	}
 	$s_birthday = build_select('b_day', $days, $b_day);
 
 	$months = array($lang['DELTA_TIME']['INTERVALS']['mon'][0] => 0);
-	for($i=1; $i<=12; $i++)
+	for ($i = 1; $i <= 12; $i++)
 	{
 		$month = bb_date(mktime(0, 0, 0, ($i+1), 0, 0), 'F');
 		$months[$month] = $i;
@@ -770,7 +752,7 @@ if($bb_cfg['birthday_enabled'] && $mode != 'register')
 
 	$year = bb_date(TIMENOW, 'Y', 'false');
 	$years = array($lang['DELTA_TIME']['INTERVALS']['year'][0] => 0);
-	for($i=$year-$bb_cfg['birthday_max_age']; $i<=$year-$bb_cfg['birthday_min_age']; $i++)
+	for ($i = $year-$bb_cfg['birthday_max_age']; $i <= $year - $bb_cfg['birthday_min_age']; $i++)
 	{
 		$years[$i] = $i;
 	}
@@ -799,9 +781,9 @@ if ($submit && !$errors)
 		}
 		$db_data['user_regdate'] = TIMENOW;
 
-        if(!IS_ADMIN) $db_data['user_reg_ip'] = USER_IP;
+		if (!IS_ADMIN) $db_data['user_reg_ip'] = USER_IP;
 
-		if(!isset($db_data['tpl_name'])) $db_data['tpl_name'] = (string) $bb_cfg['tpl_name'];
+		if (!isset($db_data['tpl_name'])) $db_data['tpl_name'] = (string) $bb_cfg['tpl_name'];
 
 		$sql_args = DB()->build_array('INSERT', $db_data);
 
@@ -856,11 +838,9 @@ if ($submit && !$errors)
 
 			if ($bb_cfg['require_activation'] == USER_ACTIVATION_ADMIN)
 			{
-				$sql = "SELECT user_email, user_lang, usr_opt
-					FROM ". BB_USERS ."
-					WHERE user_level = " . ADMIN;
+				$sql = "SELECT user_email, user_lang, usr_opt FROM ". BB_USERS ." WHERE user_level = " . ADMIN;
 
-				if ( !($result = DB()->sql_query($sql)) )
+				if (!($result = DB()->sql_query($sql)))
 				{
 					message_die(GENERAL_ERROR, 'Could not select Administrators', '', __LINE__, __FILE__, $sql);
 				}
@@ -890,7 +870,7 @@ if ($submit && !$errors)
 					}
 				}
 
-				if(empty($active_admin))
+				if (empty($active_admin))
 				{
 					$emailer->from($bb_cfg['board_email']);
 					$emailer->replyto($bb_cfg['board_email']);
@@ -928,7 +908,7 @@ if ($submit && !$errors)
 			if (!$pr_data['user_active'])
 			{
 				$user_actkey = make_rand_str(12);
-                $pr_data['user_actkey'] = $user_actkey;
+				$pr_data['user_actkey'] = $user_actkey;
 				$db_data['user_actkey'] = $user_actkey;
 
 				include(INC_DIR . 'emailer.class.php');
@@ -959,7 +939,7 @@ if ($submit && !$errors)
 				$emailer->reset();
 
 				$message = $lang['PROFILE_UPDATED_INACTIVE'];
-			    $user->session_end();
+				$user->session_end();
 			}
 			else
 			{
@@ -979,7 +959,7 @@ if ($submit && !$errors)
 				}
 			}
 
-            cache_rm_user_sessions ($pr_data['user_id']);
+			cache_rm_user_sessions ($pr_data['user_id']);
 
 			if($adm_edit)
 			{
@@ -1014,14 +994,14 @@ $template->assign_vars(array(
 	'SHOW_PASS'          => ($adm_edit || ($mode == 'register' && IS_ADMIN)),
 	'CAPTCHA_HTML'       => ($need_captcha) ? CAPTCHA()->get_html() : '',
 
-    'LANGUAGE_SELECT'    => language_select($user_lang, 'user_lang'),
+	'LANGUAGE_SELECT'    => language_select($user_lang, 'user_lang'),
 	'TIMEZONE_SELECT'    => tz_select($user_timezone, 'user_timezone'),
 	'USER_TIMEZONE'      => $pr_data['user_timezone'],
 
-    'AVATAR_EXPLAIN'     => sprintf($lang['AVATAR_EXPLAIN'], $bb_cfg['avatar_max_width'], $bb_cfg['avatar_max_height'], (round($bb_cfg['avatar_filesize'] / 1024))),
-    'SIGNATURE_EXPLAIN'  => sprintf($lang['SIGNATURE_EXPLAIN'], $bb_cfg['max_sig_chars']),
+	'AVATAR_EXPLAIN'     => sprintf($lang['AVATAR_EXPLAIN'], $bb_cfg['avatar_max_width'], $bb_cfg['avatar_max_height'], (round($bb_cfg['avatar_filesize'] / 1024))),
+	'SIGNATURE_EXPLAIN'  => sprintf($lang['SIGNATURE_EXPLAIN'], $bb_cfg['max_sig_chars']),
 
-    'SIG_DISALLOWED'     => bf($pr_data['user_opt'], 'user_opt', 'allow_sig'),
+	'SIG_DISALLOWED'     => bf($pr_data['user_opt'], 'user_opt', 'allow_sig'),
 
 	'PR_USER_ID'         => $pr_data['user_id'],
 	'U_RESET_AUTOLOGIN'  => "login.php?logout=1&amp;reset_autologin=1&amp;sid={$userdata['session_id']}",
diff --git a/upload/language/lang_english/lang_admin.php b/upload/language/lang_english/lang_admin.php
index 2b4a878b4..f9804da50 100644
--- a/upload/language/lang_english/lang_admin.php
+++ b/upload/language/lang_english/lang_admin.php
@@ -251,8 +251,6 @@ $lang['ALLOW_NAME_CHANGE'] = 'Allow Username changes';
 
 $lang['AVATAR_SETTINGS'] = 'Avatar Settings';
 $lang['ALLOW_LOCAL'] = 'Enable gallery avatars';
-$lang['ALLOW_REMOTE'] = 'Enable remote avatars';
-$lang['ALLOW_REMOTE_EXPLAIN'] = 'Avatars linked to from another website';
 $lang['ALLOW_UPLOAD'] = 'Enable avatar uploading';
 $lang['MAX_FILESIZE'] = 'Maximum Avatar File Size';
 $lang['MAX_FILESIZE_EXPLAIN'] = 'For uploaded avatar files';
diff --git a/upload/language/lang_english/lang_main.php b/upload/language/lang_english/lang_main.php
index 25a4a2bd7..acb0b27c0 100644
--- a/upload/language/lang_english/lang_main.php
+++ b/upload/language/lang_english/lang_main.php
@@ -556,7 +556,6 @@ $lang['ONLY_ONE_AVATAR'] = 'Only one type of avatar can be specified';
 $lang['FILE_NO_DATA'] = 'The file at the URL you gave contains no data';
 $lang['NO_CONNECTION_URL'] = 'A connection could not be made to the URL you gave';
 $lang['INCOMPLETE_URL'] = 'The URL you entered is incomplete';
-$lang['WRONG_REMOTE_AVATAR_FORMAT'] = 'The URL of the remote avatar is not valid';
 $lang['NO_SEND_ACCOUNT_INACTIVE'] = 'Sorry, but your password cannot be retrieved because your account is currently inactive';
 $lang['NO_SEND_ACCOUNT'] = 'Sorry, but your password cannot be retrieved. Please contact the forum administrator for more information';
 
@@ -615,12 +614,7 @@ $lang['RESET_AUTOLOGIN_EXPL'] = '';
 $lang['AVATAR'] = 'Avatar';
 $lang['AVATAR_EXPLAIN'] = 'Displays a small graphic image below your details in posts. Only one image can be displayed at a time, its width can be no greater than %d pixels, the height no greater than %d pixels, and the file size no more than %d KB.';
 $lang['UPLOAD_AVATAR_FILE'] = 'Upload Avatar from your machine';
-$lang['UPLOAD_AVATAR_URL'] = 'Upload Avatar from a URL';
-$lang['UPLOAD_AVATAR_URL_EXPLAIN'] = 'Enter the URL of the location containing the Avatar image, it will be copied to this site.';
 $lang['PICK_LOCAL_AVATAR'] = 'Select Avatar from the gallery';
-$lang['LINK_REMOTE_AVATAR'] = 'Link to off-site Avatar';
-$lang['LINK_REMOTE_AVATAR_EXPLAIN'] = 'Enter the URL of the location containing the Avatar image you wish to link to.';
-$lang['AVATAR_URL'] = 'URL of Avatar Image';
 $lang['SELECT_FROM_GALLERY'] = 'Select Avatar from gallery';
 $lang['VIEW_AVATAR_GALLERY'] = 'Show gallery';
 
diff --git a/upload/language/lang_russian/lang_admin.php b/upload/language/lang_russian/lang_admin.php
index 44d45bd8e..038eba97c 100644
--- a/upload/language/lang_russian/lang_admin.php
+++ b/upload/language/lang_russian/lang_admin.php
@@ -252,8 +252,6 @@ $lang['ALLOW_NAME_CHANGE'] = 'Разрешить смену имени поль
 
 $lang['AVATAR_SETTINGS'] = 'Настройки аватар';
 $lang['ALLOW_LOCAL'] = 'Разрешить аватар из галереи';
-$lang['ALLOW_REMOTE'] = 'Разрешить удалённых аватар';
-$lang['ALLOW_REMOTE_EXPLAIN'] = 'Ссылка на аватару, находящуюся на другом сайте';
 $lang['ALLOW_UPLOAD'] = 'Разрешить закачку аватар';
 $lang['MAX_FILESIZE'] = 'Макс. размер файла аватары';
 $lang['MAX_FILESIZE_EXPLAIN'] = 'Для закачанных файлов';
diff --git a/upload/language/lang_russian/lang_main.php b/upload/language/lang_russian/lang_main.php
index d2b164269..91e5b353c 100644
--- a/upload/language/lang_russian/lang_main.php
+++ b/upload/language/lang_russian/lang_main.php
@@ -559,7 +559,6 @@ $lang['ONLY_ONE_AVATAR'] = 'Может быть указан только оди
 $lang['FILE_NO_DATA'] = 'Файл по указанному вами URL не содержит данных';
 $lang['NO_CONNECTION_URL'] = 'Невозможно установить соединения с указанным вами URL';
 $lang['INCOMPLETE_URL'] = 'Вы указали неполный URL';
-$lang['WRONG_REMOTE_AVATAR_FORMAT'] = 'Неверный URL удалённой аватары';
 $lang['NO_SEND_ACCOUNT_INACTIVE'] = 'Извините, но пароль не может быть выслан (учётная запись неактивна)';
 $lang['NO_SEND_ACCOUNT'] = 'Извините, но пароль для этого пользователя не может быть выслан. Обратитесь к администраторам форума за дополнительной информацией';
 
@@ -618,12 +617,7 @@ $lang['RESET_AUTOLOGIN_EXPL'] = 'включая все места, где вы 
 $lang['AVATAR'] = 'Аватара';
 $lang['AVATAR_EXPLAIN'] = 'Показывает небольшое изображение под информацией о вас в сообщениях. Может быть показано только одно изображение, шириной не более %d пикселов, высотой не более %d пикселов и объёмом не более %d кб.';
 $lang['UPLOAD_AVATAR_FILE'] = 'Загрузить аватару с вашего компьютера';
-$lang['UPLOAD_AVATAR_URL'] = 'Загрузить аватару с URL';
-$lang['UPLOAD_AVATAR_URL_EXPLAIN'] = 'Введите URL по которому находится файл с изображением, он будет скопирован на этот сайт.';
 $lang['PICK_LOCAL_AVATAR'] = 'Выбрать аватару из галереи';
-$lang['LINK_REMOTE_AVATAR'] = 'Показывать аватару с другого сервера';
-$lang['LINK_REMOTE_AVATAR_EXPLAIN'] = 'Введите URL изображения, на которое вы хотите сослаться.';
-$lang['AVATAR_URL'] = 'URL изображения аватары';
 $lang['SELECT_FROM_GALLERY'] = 'Выбрать аватару из галереи';
 $lang['VIEW_AVATAR_GALLERY'] = 'Показать галерею';
 
diff --git a/upload/templates/admin/admin_board.tpl b/upload/templates/admin/admin_board.tpl
index 54c948151..c3d483535 100644
--- a/upload/templates/admin/admin_board.tpl
+++ b/upload/templates/admin/admin_board.tpl
@@ -183,13 +183,6 @@
 		<label><input type="radio" name="allow_avatar_local" value="0" <!-- IF not ALLOW_AVATARS_LOCAL -->checked="checked"<!-- ENDIF --> />{L_NO}</label>
 	</td>
 </tr>
-<tr>
-	<td><h4>{L_ALLOW_REMOTE}</h4><h6>{L_ALLOW_REMOTE_EXPLAIN}</h6></td>
-	<td>
-	    <label><input type="radio" name="allow_avatar_remote" value="1" <!-- IF ALLOW_AVATAR_REMOTE -->checked="checked"<!-- ENDIF --> />{L_YES}</label>&nbsp;&nbsp;
-		<label><input type="radio" name="allow_avatar_remote" value="0" <!-- IF not ALLOW_AVATAR_REMOTE -->checked="checked"<!-- ENDIF --> />{L_NO}</label>
-	</td>
-</tr>
 <tr>
 	<td><h4>{L_ALLOW_UPLOAD}</h4></td>
 	<td>
diff --git a/upload/templates/default/usercp_register.tpl b/upload/templates/default/usercp_register.tpl
index b21fdcce6..b377eb9b6 100644
--- a/upload/templates/default/usercp_register.tpl
+++ b/upload/templates/default/usercp_register.tpl
@@ -18,7 +18,7 @@ ajax.callback.user_register = function(data){
 
 <p class="nav"><a href="{U_INDEX}">{T_INDEX}</a></p>
 
-<form method="post" action="profile.php" class="tokenized" enctype="multipart/form-data">
+<form method="post" action="profile.php<!-- IF IS_ADMIN && PR_USER_ID -->?u={PR_USER_ID}<!-- ENDIF -->" class="tokenized" enctype="multipart/form-data">
 <input type="hidden" name="mode" value="{MODE}" />
 <input type="hidden" name="reg_agreed" value="1" />
 <!-- IF NEW_USER --><input type="hidden" name="admin" value="1" /><!-- ENDIF -->
@@ -272,18 +272,6 @@ ajax.callback.posts = function(data){
 	</td>
 </tr>
 <!-- END switch_avatar_local_upload -->
-<!-- BEGIN switch_avatar_remote_upload -->
-<tr>
-	<td>{L_UPLOAD_AVATAR_URL}:<h6>{L_UPLOAD_AVATAR_URL_EXPLAIN}</h6></td>
-	<td><input type="text" name="avatarurl" size="44" /></td>
-</tr>
-<!-- END switch_avatar_remote_upload -->
-<!-- BEGIN switch_avatar_remote_link -->
-<tr>
-	<td>{L_LINK_REMOTE_AVATAR}:<h6>{L_LINK_REMOTE_AVATAR_EXPLAIN}</h6></td>
-	<td><input type="text" name="avatarremoteurl" size="44" /></td>
-</tr>
-<!-- END switch_avatar_remote_link -->
 <!-- BEGIN switch_avatar_local_gallery -->
 <tr>
 	<td>{L_AVATAR_GALLERY}:</td>