From 437c93463d5e8b7b8bd97447130bed56ea33ae87 Mon Sep 17 00:00:00 2001
From: sam <sam@sleepycat.moe>
Date: Fri, 29 Mar 2024 17:12:50 +0100
Subject: [PATCH] limit allowed content types for avatar input

---
 foxnouns/tasks.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/foxnouns/tasks.py b/foxnouns/tasks.py
index 4fe5170..e6af598 100644
--- a/foxnouns/tasks.py
+++ b/foxnouns/tasks.py
@@ -29,8 +29,9 @@ def convert_avatar(uri: str) -> bytes:
     if not uri.startswith("data:image/"):
         raise ValueError("Not a data URI")
 
-    content_type, encoded = uri.removeprefix("data:").split("base64,", 1)
-    logger.info(f"{content_type=}")
+    content_type, encoded = uri.removeprefix("data:").split(";base64,", 1)
+    if content_type not in ["image/png", "image/webp", "image/jpeg"]:
+        raise ValueError("Invalid content type for image")
 
     img = pyvips.Image.thumbnail_buffer(
         base64.b64decode(encoded),