ChaoticByte/drinks-manager
1
1
Fork 0
Code Issues Pull requests Projects Releases 20 Packages Wiki Activity Actions

Profile pictures are now handled by the application to mitigate possible directory traversals

Browse source 
to other sub-directories of the static directory (Admins/Staff with the right to edit user
accounts were able to set a path like ../static/favicon.png for the profile picture - this
isn't a "i'm in, now i have root access and can hack your mom"-vulnerability, but better fix
it before it evolves to one. or a dragon. it's too late for this crap.)
This commit is contained in:
W13R 2022-11-02 21:55:36 +01:00
parent 86ea7c0000
commit 9f270c12b4
8 changed files with 34 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

3
application/app/urls.py
View file

@ -16,9 +16,10 @@ urlpatterns = [
path('accounts/password_change/', auth_views.PasswordChangeView.as_view(), name='password_change'),
path('accounts/password_change_done/', views.redirect_home, name='password_change_done'),
path('admin/', adminSite.urls),
# custom-handled resources
path('profilepictures', views.profile_pictures),
# API #
path('api/order-drink', views.api_order_drink),
path('api/deposit', views.api_deposit),
path('api/supply', views.api_supply)
#path('api/get-statistics', views.api_get_statistics)
]