Merge pull request #1523 from dbarbera/avatar_formats_fix

add image authorization on upload_avatar
2024-11-27 23:03:38 +08:00 · 2013-10-14 05:33:25 -07:00 · 2013-10-14 05:33:25 -07:00 · d80f4fa3f7
commit d80f4fa3f7
parent c954807a63 9106596a9a
2 changed files with 10 additions and 0 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -302,6 +302,10 @@ class UsersController < ApplicationController

    file = params[:file] || params[:files].first

+    unless SiteSetting.authorized_image?(file)
+      return render status: 422, text: I18n.t("upload.images.unknown_image_type")
+    end
+
    # check the file size (note: this might also be done in the web server)
    filesize = File.size(file.tempfile)
    max_size_kb = SiteSetting.max_image_size_kb * 1024
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@ -966,6 +966,12 @@ describe UsersController do
        response.status.should eq 413
      end

+      it 'rejects unauthorized images' do
+        SiteSetting.stubs(:authorized_image?).returns(false)
+        xhr :post, :upload_avatar, username: user.username, file: avatar
+        response.status.should eq 422
+      end
+
      it 'is successful' do
        upload = Fabricate(:upload)
        Upload.expects(:create_for).returns(upload)