AS1024/Kanboard-Prod
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Avoid user enumeration by using avatar image url

Browse Source
This commit is contained in:
Frédéric Guillot
2021-06-05 15:50:43 -07:00
committed by fguillot
parent 728ba61450
commit cc6f1db846
3 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/User/Avatar/AvatarFileProvider.php
View File

@@ -23,7 +23,7 @@ class AvatarFileProvider extends Base implements AvatarProviderInterface
*/
public function render(array $user, $size)
{
$url = $this->helper->url->href('AvatarFileController', 'image', array('user_id' => $user['id'], 'hash' => md5($user['avatar_path']), 'size' => $size));
$url = $this->helper->url->href('AvatarFileController', 'image', array('user_id' => $user['id'], 'hash' => md5($user['avatar_path'].$size), 'size' => $size));
$title = $this->helper->text->e($user['name'] ?: $user['username']);
return '<img src="' . $url . '" alt="' . $title . '" title="' . $title . '">';
}