From fa08493348f54fae3eed64f8de4eb5893000a918 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <fred@kanboard.net>
Date: Fri, 1 Feb 2019 12:12:36 -0800
Subject: [PATCH] Limit avatar image size

fixes #4041
---
 app/Controller/AvatarFileController.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/app/Controller/AvatarFileController.php b/app/Controller/AvatarFileController.php
index ed8a10288..81a324fbd 100644
--- a/app/Controller/AvatarFileController.php
+++ b/app/Controller/AvatarFileController.php
@@ -59,6 +59,12 @@ class AvatarFileController extends BaseController
     {
         $user_id = $this->request->getIntegerParam('user_id');
         $size = $this->request->getStringParam('size', 48);
+
+        if ($size > 100) {
+            $this->response->status(400);
+            return;
+        }
+
         $filename = $this->avatarFileModel->getFilename($user_id);
         $etag = md5($filename.$size);