Closed SilentFlameCR closed 4 months ago
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code
The avatar that is actually stored and later displayed to visitors is not scanned? I can simply send a normal image as user[original_avatar]
and a malicious one as user[avatar]
to bypass the clamav check.
It's still scanned in the user.rb
file as a backup
Ah, so this is just for generating a proper error message on upload, I see. Thanks for the explanation.
setAvatar now sending original_avatar and eidted avatar for the clamav check. Scanning for viruses fixed for avatar.