Profile pictures are now handled by the application to mitigate possible directory traversals

to other sub-directories of the static directory (Admins/Staff with the right to edit user accounts were able to set a path like ../static/favicon.png for the profile picture - this isn't a "i'm in, now i have root access and can hack your mom"-vulnerability, but better fix it before it evolves to one. or a dragon. it's too late for this crap.)
2022-11-02 21:55:36 +01:00 · 2022-11-02 21:55:36 +01:00 · 9f270c12b4
commit 9f270c12b4
parent 86ea7c0000
8 changed files with 34 additions and 4 deletions
--- a/application/drinks_manager/settings.py
+++ b/application/drinks_manager/settings.py
@ -175,3 +175,5 @@ try:
    CURRENCY_SUFFIX = os.environ["CURRENCY_SUFFIX"]
 except KeyError:
    CURRENCY_SUFFIX = "$"
+
+PROFILE_PICTURES = os.environ["PROFILE_PICTURES"]