AS1024
/
Kanboard-Prod
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Avoid user enumeration by using avatar image url

This commit is contained in:
Frédéric Guillot 2021-06-05 15:50:43 -07:00 committed by fguillot
parent 728ba61450
commit cc6f1db846
3 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
app/Controller/AvatarFileController.php
View File

@ -65,6 +65,7 @@ class AvatarFileController extends BaseController
{
$user_id = $this->request->getIntegerParam('user_id');
$size = $this->request->getStringParam('size', 48);
$hash = $this->request->getStringParam('hash');
if ($size > 100) {
$this->response->status(400);
@ -74,6 +75,11 @@ class AvatarFileController extends BaseController
$filename = $this->avatarFileModel->getFilename($user_id);
$etag = md5($filename.$size);
if ($hash !== $etag) {
$this->response->status(404);
return;
}
$this->response->withCache(365 * 86400, $etag);
$this->response->withContentType('image/png');

2
app/User/Avatar/AvatarFileProvider.php
View File

@ -23,7 +23,7 @@ class AvatarFileProvider extends Base implements AvatarProviderInterface
*/
public function render(array $user, $size)
{
$url = $this->helper->url->href('AvatarFileController', 'image', array('user_id' => $user['id'], 'hash' => md5($user['avatar_path']), 'size' => $size));
$url = $this->helper->url->href('AvatarFileController', 'image', array('user_id' => $user['id'], 'hash' => md5($user['avatar_path'].$size), 'size' => $size));
$title = $this->helper->text->e($user['name'] ?: $user['username']);
return '<img src="' . $url . '" alt="' . $title . '" title="' . $title . '">';
}

2
tests/units/Formatter/UserMentionFormatterTest.php
View File

@ -29,7 +29,7 @@ class UserMentionFormatterTest extends Base
$expected = array(
array(
'value' => 'someone',
'html' => '<div class="avatar avatar-20 avatar-inline"><img src="?controller=AvatarFileController&amp;action=image&amp;user_id=1&amp;hash=5acc03af0274414544b9615fb223d925&amp;size=20" alt="Someone" title="Someone"></div> someone <small aria-hidden="true">Someone</small>',
'html' => '<div class="avatar avatar-20 avatar-inline"><img src="?controller=AvatarFileController&amp;action=image&amp;user_id=1&amp;hash=871b0146d6689014b79b878c7b120151&amp;size=20" alt="Someone" title="Someone"></div> someone <small aria-hidden="true">Someone</small>',
),
array(
'value' => 'somebody',