From 02d02701150767af64c33411538e49f802da22e9 Mon Sep 17 00:00:00 2001
From: Hayden <64056131+hay-kot@users.noreply.github.com>
Date: Fri, 4 Jul 2025 12:25:48 -0500
Subject: [PATCH] use random path instead of user provided value

---
 mealie/routes/users/images.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/mealie/routes/users/images.py b/mealie/routes/users/images.py
index b472e4b1f..c2606c6f6 100644
--- a/mealie/routes/users/images.py
+++ b/mealie/routes/users/images.py
@@ -1,4 +1,5 @@
 import shutil
+from uuid import uuid4
 
 from fastapi import File, HTTPException, UploadFile, status
 from pydantic import UUID4
@@ -24,7 +25,10 @@ class UserImageController(BaseUserController):
         """Updates a User Image"""
         with get_temporary_path() as temp_path:
             assert_user_change_allowed(id, self.user, self.user)
-            temp_img = temp_path.joinpath(profile.filename)
+
+            # use a generated uuid and ignore the filename so we don't
+            # need to worry about sanitizing user inputs.
+            temp_img = temp_path.joinpath(str(uuid4()))
 
             with temp_img.open("wb") as buffer:
                 shutil.copyfileobj(profile.file, buffer)