I know that the current profile pic setup is a temporary solution. But it does open up a privacy issue. People are able to put a shortened URL/ip grabber link into the profile pic and banner fields and they get rendered as images.
For example, I did this with my own profile: https://beta.chirpsocial.net/user/?id=Verty
In the profile picture URL I put https://l.verty.gay/0ATw, which gets 301 redirected to https://verty.gay/wp-content/uploads/2024/10/tanlin.png
Same for my banner, URL https://l.verty.gay/H6ed 301s to https://verty.gay/wp-content/uploads/2023/11/feature-image.jpg
Because of this, I can see detailed logs of whoever sees my posts or visits my profile. And since I used a different short URL for my banner, I can tell the difference between a post view and a profile view. This poses a general privacy risk because of this kind of logging, but I'm sure there is also some sort of attack that could be done using this.
There should be some check that the URL provided is a direct link to an image, without any redirection. Or perhaps just whitelist a few domains that images can be hosted on (twitter, imgur, imgbb, etc).
I know that the current profile pic setup is a temporary solution. But it does open up a privacy issue. People are able to put a shortened URL/ip grabber link into the profile pic and banner fields and they get rendered as images.
For example, I did this with my own profile: https://beta.chirpsocial.net/user/?id=Verty
In the profile picture URL I put
https://l.verty.gay/0ATw, which gets 301 redirected tohttps://verty.gay/wp-content/uploads/2024/10/tanlin.pngSame for my banner, URL
https://l.verty.gay/H6ed301s tohttps://verty.gay/wp-content/uploads/2023/11/feature-image.jpgBecause of this, I can see detailed logs of whoever sees my posts or visits my profile. And since I used a different short URL for my banner, I can tell the difference between a post view and a profile view. This poses a general privacy risk because of this kind of logging, but I'm sure there is also some sort of attack that could be done using this.
There should be some check that the URL provided is a direct link to an image, without any redirection. Or perhaps just whitelist a few domains that images can be hosted on (twitter, imgur, imgbb, etc).