Improve security checks for URL-based avatar downloads #39594
Description
Description
While reviewing the recent fix addressing unbounded memory consumption in avatar URL uploads, I noticed a few additional edge cases that could further strengthen the security of the implementation.
The current fix correctly enforces FileUpload_MaxFileSize and prevents large responses from being buffered entirely in memory. However, there are a few scenarios that may still benefit from additional safeguards.
Potential Improvements
- Missing or incorrect Content-Length header
Some servers may not include a Content-Length header or may return an incorrect value. In such cases, relying solely on the header check could be insufficient. The streaming byte limit should always be enforced regardless of whether the header is present or accurate.
- Request timeout handling
A remote server could intentionally send data very slowly, potentially keeping the connection open for an extended period of time. Adding a timeout mechanism for the fetch request could help prevent resource exhaustion from slow responses.
- MIME type validation
Since this endpoint processes avatar images, validating the response Content-Type could prevent non-image files from being stored as avatars. Accepting only expected formats (such as image/png, image/jpeg, or image/webp) would improve security and consistency.
Expected Behavior
The avatar download mechanism should:
Enforce maximum file size limits even when Content-Length is missing or incorrect
Apply request timeouts to prevent slow or stalled downloads
Validate the MIME type to ensure only supported image formats are accepted
Additional Context
This issue is related to the recent security fix addressing unbounded memory consumption during avatar URL downloads.