Profile pictures are now handled by the application to mitigate possible directory traversals
to other sub-directories of the static directory (Admins/Staff with the right to edit user accounts were able to set a path like ../static/favicon.png for the profile picture - this isn't a "i'm in, now i have root access and can hack your mom"-vulnerability, but better fix it before it evolves to one. or a dragon. it's too late for this crap.)
This commit is contained in:
parent
86ea7c0000
commit
9f270c12b4
8 changed files with 34 additions and 4 deletions
4
.gitignore
vendored
4
.gitignore
vendored
|
|
@ -4,6 +4,7 @@
|
|||
/archive/*
|
||||
/logs/*
|
||||
/packages/*
|
||||
/profilepictures/*
|
||||
/temp
|
||||
/tmp
|
||||
__pycache__
|
||||
|
|
@ -12,4 +13,5 @@ __pycache__
|
|||
!/config/config.sample.sh
|
||||
!/config/Caddyfile
|
||||
!/config/tls/
|
||||
!.gitkeep
|
||||
!/profilepictures/default.svg
|
||||
!.gitkeep
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue