hswaw
/
ldapweb
4
0
Fork 0
Code Issues 3 Pull Requests 1 Packages Projects Releases Wiki Activity

avatar: don't generate avatars for non-users

pull/2/head
radex 2023-10-14 16:02:47 +02:00
parent a6cc147595
commit b10f6478da
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
webapp/avatar.py
View File

@ -197,7 +197,8 @@ class AvatarCache:
res = []
avatar = None
if len(res) == 1:
is_user_found = len(res) == 1
if is_user_found:
for attr, vs in res[0][1].items():
if attr == 'jpegPhoto':
for v in vs:
@ -217,7 +218,9 @@ class AvatarCache:
# If nothing was found in LDAP (either uid doesn't exist or uid doesn't
# have an avatar attached), serve default avatar.
if avatar is None:
avatar = default_avatar(uid)
# don't generate avatars for non-users to reduce DoS potential
# (note: capacifier already leaks existence of users, so whatever)
avatar = default_avatar(uid if is_user_found else 'default')
# Save avatar in cache.
entry = AvatarCacheEntry(uid, avatar)