From 1197dbe739486f8c5e7974c2ddfb6bffbdccfd50 Mon Sep 17 00:00:00 2001 From: Victor Kotseruba Date: Fri, 12 Jun 2015 01:22:02 +0300 Subject: [PATCH] `EXPOSE_USERNAMES` prevents sensitive information leakage --- avatar/conf.py | 1 + avatar/models.py | 9 ++++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/avatar/conf.py b/avatar/conf.py index 4d7f01f..14a263a 100644 --- a/avatar/conf.py +++ b/avatar/conf.py @@ -18,6 +18,7 @@ class AvatarConf(AppConf): THUMB_QUALITY = 85 HASH_FILENAMES = False HASH_USERDIRNAMES = False + EXPOSE_USERNAMES = True ALLOWED_FILE_EXTS = None CACHE_TIMEOUT = 60 * 60 STORAGE = settings.DEFAULT_FILE_STORAGE diff --git a/avatar/models.py b/avatar/models.py index 5bc3a52..bca0918 100644 --- a/avatar/models.py +++ b/avatar/models.py @@ -8,6 +8,7 @@ from django.core.files import File from django.core.files.base import ContentFile from django.core.files.storage import get_storage_class from django.utils.translation import ugettext as _ +from django.utils.encoding import force_text from django.utils import six from django.db.models import signals @@ -26,10 +27,12 @@ avatar_storage = get_storage_class(settings.AVATAR_STORAGE)() def avatar_file_path(instance=None, filename=None, size=None, ext=None): tmppath = [settings.AVATAR_STORAGE_DIR] if settings.AVATAR_HASH_USERDIRNAMES: - tmp = hashlib.md5(get_username(instance.user)).hexdigest() - tmppath.extend([tmp[0], tmp[1], get_username(instance.user)]) - else: + tmp = hashlib.md5(force_bytes(get_username(instance.user))).hexdigest() + tmppath.extend(tmp[0:2]) + if settings.AVATAR_EXPOSE_USERNAMES: tmppath.append(get_username(instance.user)) + else: + tmppath.append(force_text(instance.user.pk)) if not filename: # Filename already stored in database filename = instance.avatar.name