Fix #2096

author: syuilo <syuilotan@yahoo.co.jp> 2018-09-10 02:09:33 +0900
committer: syuilo <syuilotan@yahoo.co.jp> 2018-09-10 02:09:33 +0900
commit: eb4f625bbdadd63a32b9d6f09714b721e510defe (patch)
tree: f9f5129adf8eef2149d729755b8c64ba67bb7d63 /src/server/api/endpoints/i
parent: Fix #2513 (diff)
download: sharkey-eb4f625bbdadd63a32b9d6f09714b721e510defe.tar.gz
sharkey-eb4f625bbdadd63a32b9d6f09714b721e510defe.tar.bz2
sharkey-eb4f625bbdadd63a32b9d6f09714b721e510defe.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/src/server/api/endpoints/i/update.ts b/src/server/api/endpoints/i/update.ts
index 585339e249..953a6aec2a 100644
--- a/src/server/api/endpoints/i/update.ts
+++ b/src/server/api/endpoints/i/update.ts
@@ -84,6 +84,7 @@ export default async (params: any, user: ILocalUser, app: IApp) => new Promise(a
 		});
 
 		if (avatar == null) return rej('avatar not found');
+		if (!avatar.contentType.startsWith('image/')) return rej('avatar not an image');
 
 		updates.avatarUrl = avatar.metadata.thumbnailUrl || avatar.metadata.url || `${config.drive_url}/${avatar._id}`;
 
@@ -98,6 +99,7 @@ export default async (params: any, user: ILocalUser, app: IApp) => new Promise(a
 		});
 
 		if (banner == null) return rej('banner not found');
+		if (!banner.contentType.startsWith('image/')) return rej('banner not an image');
 
 		updates.bannerUrl = banner.metadata.url || `${config.drive_url}/${banner._id}`;
author	syuilo <syuilotan@yahoo.co.jp>	2018-09-10 02:09:33 +0900
committer	syuilo <syuilotan@yahoo.co.jp>	2018-09-10 02:09:33 +0900
commit	eb4f625bbdadd63a32b9d6f09714b721e510defe (patch)
tree	f9f5129adf8eef2149d729755b8c64ba67bb7d63 /src/server/api/endpoints/i
parent	Fix #2513 (diff)
download	sharkey-eb4f625bbdadd63a32b9d6f09714b721e510defe.tar.gz sharkey-eb4f625bbdadd63a32b9d6f09714b721e510defe.tar.bz2 sharkey-eb4f625bbdadd63a32b9d6f09714b721e510defe.zip