From 9106596a9a7a4029c45e6d65b5fb74e68568e19b Mon Sep 17 00:00:00 2001
From: dbarbera <diego@dbarbera.name>
Date: Sat, 12 Oct 2013 14:11:44 +0200
Subject: [PATCH] add image authorization on upload_avatar

---
 app/controllers/users_controller.rb       | 4 ++++
 spec/controllers/users_controller_spec.rb | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index d00bfccd837..2eca5e70334 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -302,6 +302,10 @@ class UsersController < ApplicationController
 
     file = params[:file] || params[:files].first
 
+    unless SiteSetting.authorized_image?(file)
+      return render status: 422, text: I18n.t("upload.images.unknown_image_type")
+    end
+
     # check the file size (note: this might also be done in the web server)
     filesize = File.size(file.tempfile)
     max_size_kb = SiteSetting.max_image_size_kb * 1024
diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb
index c13ad5e0761..d417327ba50 100644
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@@ -966,6 +966,12 @@ describe UsersController do
         response.status.should eq 413
       end
 
+      it 'rejects unauthorized images' do
+        SiteSetting.stubs(:authorized_image?).returns(false)
+        xhr :post, :upload_avatar, username: user.username, file: avatar
+        response.status.should eq 422
+      end
+
       it 'is successful' do
         upload = Fabricate(:upload)
         Upload.expects(:create_for).returns(upload)