changeset f92c122dbaa8 in www.tryton.org:default
details: https://hg.tryton.org/www.tryton.org?cmd=changeset&node=f92c122dbaa8
description:
Sanitize avatar parameter values
diffstat:
app.py | 13 +++++++++++++
1 files changed, 13 insertions(+), 0 deletions(-)
diffs (23 lines):
diff -r 49525086aaf7 -r f92c122dbaa8 app.py
--- a/app.py Tue Feb 08 09:54:37 2022 +0100
+++ b/app.py Tue Feb 08 10:14:24 2022 +0100
@@ -726,6 +726,19 @@
def avatar(hash):
if not set(request.args.keys()).issubset(set('sdr')):
abort(HTTPStatus.BAD_REQUEST)
+ if request.args.get('s'):
+ try:
+ if not (1 < int(request.args.get('s')) < 2048):
+ abort(HTTPStatus.BAD_REQUEST)
+ except ValueError:
+ abort(HTTPStatus.BAD_REQUEST)
+ if request.args.get('d') and request.args.get('d') not in {
+ '404', 'mp', 'identicon', 'monsterid', 'wavatar', 'retro',
+ 'robohash', 'blank'}:
+ abort(HTTPStatus.BAD_REQUEST)
+ if request.args.get('r') and request.args.get('r') not in {
+ 'g', 'pg', 'r', 'x'}:
+ abort(HTTPStatus.BAD_REQUEST)
return fetch_gravatar(hash, **request.args)
