github/mealie
1
0
Fork 0
mirror of https://github.com/hay-kot/mealie.git synced 2025-08-22 14:33:33 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 20

use random path instead of user provided value

Browse source
This commit is contained in:
Hayden 2025-07-04 12:25:48 -05:00
commit 02d0270115
No known key found for this signature in database
GPG key ID: 17CF79474E257545
1 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
mealie/routes/users/images.py
View file

@ -1,4 +1,5 @@
import shutil
from uuid import uuid4
from fastapi import File, HTTPException, UploadFile, status
from pydantic import UUID4
@ -24,7 +25,10 @@ class UserImageController(BaseUserController):
"""Updates a User Image"""
with get_temporary_path() as temp_path:
assert_user_change_allowed(id, self.user, self.user)
temp_img = temp_path.joinpath(profile.filename)
# use a generated uuid and ignore the filename so we don't
# need to worry about sanitizing user inputs.
temp_img = temp_path.joinpath(str(uuid4()))
with temp_img.open("wb") as buffer:
shutil.copyfileobj(profile.file, buffer)