Profile pictures are now handled by the application to mitigate possible directory traversals

to other sub-directories of the static directory (Admins/Staff with the right to edit user
accounts were able to set a path like ../static/favicon.png for the profile picture - this
isn't a "i'm in, now i have root access and can hack your mom"-vulnerability, but better fix
it before it evolves to one. or a dragon. it's too late for this crap.)

application/app/views.py

@@ -1,12 +1,16 @@
 import json
 import sys
 
+from pathlib import Path
+
+from django.conf import settings
 from django.contrib.auth import authenticate
 from django.contrib.auth import get_user_model
 from django.contrib.auth import login
 from django.contrib.auth.decorators import login_required
 from django.contrib.auth.forms import AuthenticationForm
 from django.http.response import HttpResponseRedirect
+from django.http.response import FileResponse
 from django.http.response import HttpResponse
 from django.shortcuts import render
 
@@ -20,6 +24,9 @@ from .models import Drink
 from .models import Order
 from .models import RegisterTransaction
 
+#
+
+profile_pictures_path = Path(settings.PROFILE_PICTURES).resolve()
 
 # login view
 
@@ -112,6 +119,23 @@ def redirect_home(request):
     return HttpResponseRedirect("/")
 
 
+# Custom-Handled Resources
+
+def profile_pictures(request):
+    if not "name" in request.GET:
+        return HttpResponse(b"", status=400)
+    print(request.GET["name"])
+    ppic_filepath = Path(profile_pictures_path / request.GET["name"]).resolve()
+    try:
+        ppic_filepath.relative_to(profile_pictures_path)
+    except:
+        return HttpResponse("No.", status=403)
+    if ppic_filepath.is_file():
+        return FileResponse(ppic_filepath.open('rb'))
+    else:
+        return FileResponse(b"", status=404)
+
+
 # API for XHR requests #
 
 @login_required