sij/anything-llm
1
0
Fork 0
mirror of https://github.com/Mintplex-Labs/anything-llm.git synced 2025-04-17 18:18:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Patch unauthorized access to other user's pfps ()

Browse source 
* patch unauthorized viewing of other user's pfps

* inline return responses

---------

Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
This commit is contained in:
Sean Hatfield 2024-12-31 06:36:51 +08:00 committed by GitHub
parent 0b7bf68f2c
commit 696af19c45
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 6 additions and 12 deletions

18
server/endpoints/system.js
View file

@ -659,24 +659,18 @@ function systemEndpoints(app) {
async function (request, response) {
try {
const { id } = request.params;
const pfpPath = await determinePfpFilepath(id);
if (response.locals?.user?.id !== Number(id))
return response.sendStatus(204).end();
if (!pfpPath) {
response.sendStatus(204).end();
return;
}
const pfpPath = await determinePfpFilepath(id);
if (!pfpPath) return response.sendStatus(204).end();
const { found, buffer, size, mime } = fetchPfp(pfpPath);
if (!found) {
response.sendStatus(204).end();
return;
}
if (!found) return response.sendStatus(204).end();
response.writeHead(200, {
"Content-Type": mime || "image/png",
"Content-Disposition": `attachment; filename=${path.basename(
pfpPath
)}`,
"Content-Disposition": `attachment; filename=${path.basename(pfpPath)}`,
"Content-Length": size,
});
response.end(Buffer.from(buffer, "base64"));