AS1024/Kanboard-Prod
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Avoid user enumeration by using avatar image url

Browse Source
This commit is contained in:
Frédéric Guillot
2021-06-05 15:50:43 -07:00
committed by fguillot
parent 728ba61450
commit cc6f1db846
3 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
app/Controller/AvatarFileController.php
View File

@@ -65,6 +65,7 @@ class AvatarFileController extends BaseController
{
$user_id = $this->request->getIntegerParam('user_id');
$size = $this->request->getStringParam('size', 48);
$hash = $this->request->getStringParam('hash');
if ($size > 100) {
$this->response->status(400);
@@ -74,6 +75,11 @@ class AvatarFileController extends BaseController
$filename = $this->avatarFileModel->getFilename($user_id);
$etag = md5($filename.$size);
if ($hash !== $etag) {
$this->response->status(404);
return;
}
$this->response->withCache(365 * 86400, $etag);
$this->response->withContentType('image/png');

2
app/User/Avatar/AvatarFileProvider.php
View File

@@ -23,7 +23,7 @@ class AvatarFileProvider extends Base implements AvatarProviderInterface
*/
public function render(array $user, $size)
{
$url = $this->helper->url->href('AvatarFileController', 'image', array('user_id' => $user['id'], 'hash' => md5($user['avatar_path']), 'size' => $size));
$url = $this->helper->url->href('AvatarFileController', 'image', array('user_id' => $user['id'], 'hash' => md5($user['avatar_path'].$size), 'size' => $size));
$title = $this->helper->text->e($user['name'] ?: $user['username']);
return '<img src="' . $url . '" alt="' . $title . '" title="' . $title . '">';
}