llvy.ltd/casdoor
1
0
Fork 0
mirror of https://github.com/casdoor/casdoor.git synced 2025-07-02 19:40:19 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat: fix SSRF when download avatar (#1193)

Browse Source
This commit is contained in:
Yaodong Yu
2022-10-20 14:47:08 +08:00
committed by GitHub
parent dffa68cbce
commit 6a1ec51978
6 changed files with 75 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
object/user.go
View File

@ -386,7 +386,7 @@ func UpdateUser(id string, user *User, columns []string, isGlobalAdmin bool) boo
user.UpdateUserHash()
if user.Avatar != oldUser.Avatar && user.Avatar != "" && user.PermanentAvatar != "*" {
user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar)
user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar, false)
}
if len(columns) == 0 {
@ -419,7 +419,7 @@ func UpdateUserForAllFields(id string, user *User) bool {
user.UpdateUserHash()
if user.Avatar != oldUser.Avatar && user.Avatar != "" {
user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar)
user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar, false)
}
affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(user)
@ -449,7 +449,7 @@ func AddUser(user *User) bool {
user.UpdateUserHash()
user.PreHash = user.Hash
user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar)
user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar, false)
user.Ranking = GetUserCount(user.Owner, "", "") + 1
@ -474,7 +474,7 @@ func AddUsers(users []*User) bool {
user.UpdateUserHash()
user.PreHash = user.Hash
user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar)
user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar, true)
}
affected, err := adapter.Engine.Insert(users)