There are arbitrary file uploads where ordinary users upload avatars

[N-Next]

Affected versions：v3.1.1

The steps to reproduce

Register an ordinary user arbitrarily, and upload the avatar The front-end restricts the file type, and can only upload image-type files You can modify the suffix of the malicious file to jpg and then modify it back through packet capture

repair suggestion

-The backend increases the inspection of file types and uses whitelist filtering

• Filter with blacklist