From 696af19c45473172ad4d3ca749281800a4d1a45a Mon Sep 17 00:00:00 2001
From: Sean Hatfield <seanhatfield5@gmail.com>
Date: Tue, 31 Dec 2024 06:36:51 +0800
Subject: [PATCH] Patch unauthorized access to other user's pfps (#2904)

* patch unauthorized viewing of other user's pfps

* inline return responses

---------

Co-authored-by: Timothy Carambat <rambat1010@gmail.com>
---
 server/endpoints/system.js | 18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

diff --git a/server/endpoints/system.js b/server/endpoints/system.js
index 9924ec694..d060e503f 100644
--- a/server/endpoints/system.js
+++ b/server/endpoints/system.js
@@ -659,24 +659,18 @@ function systemEndpoints(app) {
     async function (request, response) {
       try {
         const { id } = request.params;
-        const pfpPath = await determinePfpFilepath(id);
+        if (response.locals?.user?.id !== Number(id))
+          return response.sendStatus(204).end();
 
-        if (!pfpPath) {
-          response.sendStatus(204).end();
-          return;
-        }
+        const pfpPath = await determinePfpFilepath(id);
+        if (!pfpPath) return response.sendStatus(204).end();
 
         const { found, buffer, size, mime } = fetchPfp(pfpPath);
-        if (!found) {
-          response.sendStatus(204).end();
-          return;
-        }
+        if (!found) return response.sendStatus(204).end();
 
         response.writeHead(200, {
           "Content-Type": mime || "image/png",
-          "Content-Disposition": `attachment; filename=${path.basename(
-            pfpPath
-          )}`,
+          "Content-Disposition": `attachment; filename=${path.basename(pfpPath)}`,
           "Content-Length": size,
         });
         response.end(Buffer.from(buffer, "base64"));