fix(core): Limit valid avatar sizes

Signed-off-by: provokateurin <kate@provokateurin.de>
author: provokateurin <kate@provokateurin.de> 2024-08-14 09:29:30 +0200
committer: provokateurin <kate@provokateurin.de> 2024-08-14 09:29:30 +0200
commit: e77d6c913d8243889d49c81ee7f5604f15f6cf9b (patch)
tree: bb81e09b46bd973e250408b59801ad1cbd0d50bf /core/Controller
parent: a503125173ce438aa841a24a9108cb5c6bac27ac (diff)
download: nextcloud-server-e77d6c913d8243889d49c81ee7f5604f15f6cf9b.tar.gz
nextcloud-server-e77d6c913d8243889d49c81ee7f5604f15f6cf9b.zip
2 files changed, 8 insertions, 9 deletions
diff --git a/core/Controller/AvatarController.php b/core/Controller/AvatarController.php
index 3126b2600d9..5d117f6ae7f 100644
--- a/core/Controller/AvatarController.php
+++ b/core/Controller/AvatarController.php
@@ -55,7 +55,7 @@ class AvatarController extends Controller {
 	 * Get the dark avatar
 	 *
 	 * @param string $userId ID of the user
-	 * @param int $size Size of the avatar
+	 * @param 64|512 $size Size of the avatar
 	 * @param bool $guestFallback Fallback to guest avatar if not found
 	 * @return FileDisplayResponse<Http::STATUS_OK|Http::STATUS_CREATED, array{Content-Type: string, X-NC-IsCustomAvatar: int}>|JSONResponse<Http::STATUS_NOT_FOUND, array<empty>, array{}>|Response<Http::STATUS_INTERNAL_SERVER_ERROR, array{}>
 	 *
@@ -89,7 +89,7 @@ class AvatarController extends Controller {
 			);
 		} catch (\Exception $e) {
 			if ($guestFallback) {
-				return $this->guestAvatarController->getAvatarDark($userId, (string)$size);
+				return $this->guestAvatarController->getAvatarDark($userId, $size);
 			}
 			return new JSONResponse([], Http::STATUS_NOT_FOUND);
 		}
@@ -106,7 +106,7 @@ class AvatarController extends Controller {
 	 * Get the avatar
 	 *
 	 * @param string $userId ID of the user
-	 * @param int $size Size of the avatar
+	 * @param 64|512 $size Size of the avatar
 	 * @param bool $guestFallback Fallback to guest avatar if not found
 	 * @return FileDisplayResponse<Http::STATUS_OK|Http::STATUS_CREATED, array{Content-Type: string, X-NC-IsCustomAvatar: int}>|JSONResponse<Http::STATUS_NOT_FOUND, array<empty>, array{}>|Response<Http::STATUS_INTERNAL_SERVER_ERROR, array{}>
 	 *
@@ -140,7 +140,7 @@ class AvatarController extends Controller {
 			);
 		} catch (\Exception $e) {
 			if ($guestFallback) {
-				return $this->guestAvatarController->getAvatar($userId, (string)$size);
+				return $this->guestAvatarController->getAvatar($userId, $size);
 			}
 			return new JSONResponse([], Http::STATUS_NOT_FOUND);
 		}
diff --git a/core/Controller/GuestAvatarController.php b/core/Controller/GuestAvatarController.php
index 6a7edc9cfcc..e87112726f2 100644
--- a/core/Controller/GuestAvatarController.php
+++ b/core/Controller/GuestAvatarController.php
@@ -36,7 +36,7 @@ class GuestAvatarController extends Controller {
 	 * Returns a guest avatar image response
 	 *
 	 * @param string $guestName The guest name, e.g. "Albert"
-	 * @param string $size The desired avatar size, e.g. 64 for 64x64px
+	 * @param 64|512 $size The desired avatar size, e.g. 64 for 64x64px
 	 * @param bool|null $darkTheme Return dark avatar
 	 * @return FileDisplayResponse<Http::STATUS_OK|Http::STATUS_CREATED, array{Content-Type: string, X-NC-IsCustomAvatar: int}>|Response<Http::STATUS_INTERNAL_SERVER_ERROR, array{}>
 	 *
@@ -46,8 +46,7 @@ class GuestAvatarController extends Controller {
 	#[PublicPage]
 	#[NoCSRFRequired]
 	#[FrontpageRoute(verb: 'GET', url: '/avatar/guest/{guestName}/{size}')]
-	public function getAvatar(string $guestName, string $size, ?bool $darkTheme = false) {
-		$size = (int) $size;
+	public function getAvatar(string $guestName, int $size, ?bool $darkTheme = false) {
 		$darkTheme = $darkTheme ?? false;
 
 		if ($size <= 64) {
@@ -89,7 +88,7 @@ class GuestAvatarController extends Controller {
 	 * Returns a dark guest avatar image response
 	 *
 	 * @param string $guestName The guest name, e.g. "Albert"
-	 * @param string $size The desired avatar size, e.g. 64 for 64x64px
+	 * @param 64|512 $size The desired avatar size, e.g. 64 for 64x64px
 	 * @return FileDisplayResponse<Http::STATUS_OK|Http::STATUS_CREATED, array{Content-Type: string, X-NC-IsCustomAvatar: int}>|Response<Http::STATUS_INTERNAL_SERVER_ERROR, array{}>
 	 *
 	 * 200: Custom avatar returned
@@ -98,7 +97,7 @@ class GuestAvatarController extends Controller {
 	#[PublicPage]
 	#[NoCSRFRequired]
 	#[FrontpageRoute(verb: 'GET', url: '/avatar/guest/{guestName}/{size}/dark')]
-	public function getAvatarDark(string $guestName, string $size) {
+	public function getAvatarDark(string $guestName, int $size) {
 		return $this->getAvatar($guestName, $size, true);
 	}
 }
author	provokateurin <kate@provokateurin.de>	2024-08-14 09:29:30 +0200
committer	provokateurin <kate@provokateurin.de>	2024-08-14 09:29:30 +0200
commit	e77d6c913d8243889d49c81ee7f5604f15f6cf9b (patch)
tree	bb81e09b46bd973e250408b59801ad1cbd0d50bf /core/Controller
parent	a503125173ce438aa841a24a9108cb5c6bac27ac (diff)
download	nextcloud-server-e77d6c913d8243889d49c81ee7f5604f15f6cf9b.tar.gz nextcloud-server-e77d6c913d8243889d49c81ee7f5604f15f6cf9b.zip