Profile pictures are now handled by the application to mitigate possible directory traversals

to other sub-directories of the static directory (Admins/Staff with the right to edit user accounts were able to set a path like ../static/favicon.png for the profile picture - this isn't a "i'm in, now i have root access and can hack your mom"-vulnerability, but better fix it before it evolves to one. or a dragon. it's too late for this crap.)
2022-11-02 21:55:36 +01:00 · 2022-11-02 21:55:36 +01:00 · 9f270c12b4
commit 9f270c12b4
parent 86ea7c0000
8 changed files with 34 additions and 4 deletions
--- a/application/app/templates/registration/login.html
+++ b/application/app/templates/registration/login.html
@ -69,7 +69,7 @@
        <ul class="userlist">
            {% for user_ in user_list %}
                <li class="userlistButton button" data-username="{{ user_.username }}">
-                    <img src="{% static 'profilepictures/'|add:user_.profile_picture_filename %}">
+                    <img src="{{ '/profilepictures?name='|add:user_.profile_picture_filename }}">
                    <div>
                        {% if user_.first_name %}