Profile pictures are now handled by the application to mitigate possible directory traversals

to other sub-directories of the static directory (Admins/Staff with the right to edit user accounts were able to set a path like ../static/favicon.png for the profile picture - this isn't a "i'm in, now i have root access and can hack your mom"-vulnerability, but better fix it before it evolves to one. or a dragon. it's too late for this crap.)
2022-11-02 21:55:36 +01:00 · 2022-11-02 21:55:36 +01:00 · 9f270c12b4
commit 9f270c12b4
parent 86ea7c0000
8 changed files with 34 additions and 4 deletions
--- a/lib/env.sh
+++ b/lib/env.sh
@ -1,6 +1,7 @@
 #!/usr/bin/env bash

 export DJANGO_SK_ABS_FP="$(pwd)/config/secret_key.txt"
+export PROFILE_PICTURES="$(pwd)/profilepictures/"
 export STATIC_FILES="$(pwd)/static/"
 export APP_VERSION="12"
 export PYTHONPATH="$(pwd)/packages/"