From b10f6478da21d1df6b3142421b335f60c504441d Mon Sep 17 00:00:00 2001
From: radex <radexpl@gmail.com>
Date: Sat, 14 Oct 2023 16:02:47 +0200
Subject: [PATCH] avatar: don't generate avatars for non-users

---
 webapp/avatar.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/webapp/avatar.py b/webapp/avatar.py
index aa0aa8f..a97c455 100644
--- a/webapp/avatar.py
+++ b/webapp/avatar.py
@@ -197,7 +197,8 @@ class AvatarCache:
             res = []
 
         avatar = None
-        if len(res) == 1:
+        is_user_found = len(res) == 1
+        if is_user_found:
             for attr, vs in res[0][1].items():
                 if attr == 'jpegPhoto':
                     for v in vs:
@@ -217,7 +218,9 @@ class AvatarCache:
         # If nothing was found in LDAP (either uid doesn't exist or uid doesn't
         # have an avatar attached), serve default avatar.
         if avatar is None:
-            avatar = default_avatar(uid)
+            # don't generate avatars for non-users to reduce DoS potential
+            # (note: capacifier already leaks existence of users, so whatever)
+            avatar = default_avatar(uid if is_user_found else 'default')
 
         # Save avatar in cache.
         entry = AvatarCacheEntry(uid, avatar)