AS1024/Kanboard-Prod
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Avoid user enumeration by using avatar image url

Browse Source
This commit is contained in:
Frédéric Guillot
2021-06-05 15:50:43 -07:00
committed by fguillot
parent 728ba61450
commit cc6f1db846
3 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
app/Controller/AvatarFileController.php
View File

@@ -65,6 +65,7 @@ class AvatarFileController extends BaseController
{
$user_id = $this->request->getIntegerParam('user_id');
$size = $this->request->getStringParam('size', 48);
$hash = $this->request->getStringParam('hash');
if ($size > 100) {
$this->response->status(400);
@@ -74,6 +75,11 @@ class AvatarFileController extends BaseController
$filename = $this->avatarFileModel->getFilename($user_id);
$etag = md5($filename.$size);
if ($hash !== $etag) {
$this->response->status(404);
return;
}
$this->response->withCache(365 * 86400, $etag);
$this->response->withContentType('image/png');