From 9bfc0e60760e53ade579daa2bfe79ad4fcd966ee Mon Sep 17 00:00:00 2001 From: Pig Fang Date: Sun, 18 Oct 2020 12:12:28 +0800 Subject: [PATCH] don't allow to render avatar for non-skin texture --- app/Http/Controllers/TextureController.php | 6 +++++- tests/HttpTest/ControllersTest/TextureControllerTest.php | 3 +++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/app/Http/Controllers/TextureController.php b/app/Http/Controllers/TextureController.php index 9b2c17c2..c1fcec62 100644 --- a/app/Http/Controllers/TextureController.php +++ b/app/Http/Controllers/TextureController.php @@ -132,8 +132,12 @@ class TextureController extends Controller return $this->avatar($minecraft, $request, $texture); } - protected function avatar(Minecraft $minecraft, Request $request, Texture $texture = null) + protected function avatar(Minecraft $minecraft, Request $request, ?Texture $texture) { + if (!empty($texture) && $texture->type !== 'steve' && $texture->type !== 'alex') { + return abort(422); + } + $size = (int) $request->query('size', 100); $mode = $request->has('3d') ? '3d' : '2d'; $usePNG = $request->has('png') || !(imagetypes() & IMG_WEBP); diff --git a/tests/HttpTest/ControllersTest/TextureControllerTest.php b/tests/HttpTest/ControllersTest/TextureControllerTest.php index 10ded3fd..a5574a54 100644 --- a/tests/HttpTest/ControllersTest/TextureControllerTest.php +++ b/tests/HttpTest/ControllersTest/TextureControllerTest.php @@ -224,6 +224,9 @@ class TextureControllerTest extends TestCase { $disk = Storage::fake('textures'); + $cape = Texture::factory()->cape()->create(); + $this->get(route('avatar.texture', ['tid' => $cape->tid]))->assertStatus(422); + $this->get(route('avatar.texture', ['tid' => 0])) ->assertSuccessful() ->assertHeader('Content-Type', 'image/webp');