Secure avatar generation

This commit is contained in:
Matéo Duparc 2021-05-28 18:53:16 +02:00
parent 10e496e36f
commit 0eee053b5e
Signed by: hardcoresushi
GPG Key ID: 007F84120107191E
2 changed files with 3 additions and 3 deletions

View File

@ -815,7 +815,7 @@ function sendNextLargeFile(sessionId) {
}
function refreshAvatar(selector, sessionId) {
let avatar = document.querySelector(selector);
if (typeof avatar !== "undefined") {
if (avatar !== null) {
if (typeof sessionId === "undefined") {
avatar.src = "/avatar/self?"+avatarTimestamps.get("self");
} else {

View File

@ -370,7 +370,7 @@ fn reply_with_avatar(avatar: Option<Vec<u8>>, name: Option<&str>) -> HttpRespons
let svg = include_str!(concat!(env!("OUT_DIR"), "/text_avatar.svg"));
#[cfg(debug_assertions)]
let svg = replace_fields("src/frontend/imgs/text_avatar.svg");
HttpResponse::Ok().content_type("image/svg+xml").body(svg.replace("LETTER", &name.chars().nth(0).unwrap().to_string()))
HttpResponse::Ok().content_type("image/svg+xml").body(svg.replace("LETTER", &name.chars().nth(0).unwrap_or('?').to_string()))
}
None => HttpResponse::InternalServerError().finish()
}
@ -383,7 +383,7 @@ fn handle_avatar(req: HttpRequest) -> HttpResponse {
if splits[1] == "self" {
return reply_with_avatar(Identity::get_identity_avatar().ok(), Identity::get_identity_name().ok().as_deref());
}
} else if splits.len() == 3 {
} else if splits.len() == 3 && is_authenticated(&req) {
if let Ok(session_id) = splits[1].parse() {
let global_vars = req.app_data::<Data<Arc<RwLock<GlobalVars>>>>().unwrap();
return reply_with_avatar(global_vars.read().unwrap().session_manager.get_avatar(&session_id), Some(splits[2]));