xmall icon indicating copy to clipboard operation
xmall copied to clipboard
verified publisher icon Exrick

Avatar upload lets one user overwrite another’s profile image

Open YLChen-007 opened this issue 1 month ago • 0 comments

Avatar upload lets one user overwrite another’s profile image: /member/imgaeUpload accepts userId and token but never verifies that the token belongs to that user before updating DB records, so any authenticated user can change another user’s avatar.

    public Result<Object> imgaeUpload(@RequestBody CommonDto common){
        String imgPath = memberService.imageUpload(common.getUserId(),common.getToken(),common.getImgData());
        return new ResultUtil<Object>().setData(imgPath);
    }

    public String imageUpload(Long userId,String token,String imgData) {
        TbMember tbMember=tbMemberMapper.selectByPrimaryKey(userId);
        // updates the target record with no token/userId consistency check
        tbMemberMapper.updateByPrimaryKey(tbMember);
        Member member=loginService.getUserByToken(token);
        member.setFile(imgPath);
        jedisClient.set("SESSION:" + token, new Gson().toJson(member));
        return imgPath;
    }

YLChen-007 avatar Nov 04 '25 02:11 YLChen-007