From 743c6fe42edd56dcdb5a8ebacb06c82db19ae4b0 Mon Sep 17 00:00:00 2001
From: Darin Kotter <darin.kotter@gmail.com>
Date: Tue, 12 Nov 2024 14:02:15 -0700
Subject: [PATCH 1/2] Only allow images to be added as avatars

---
 includes/class-simple-local-avatars.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/includes/class-simple-local-avatars.php b/includes/class-simple-local-avatars.php
index c864ec9..845451a 100644
--- a/includes/class-simple-local-avatars.php
+++ b/includes/class-simple-local-avatars.php
@@ -1324,8 +1324,14 @@ public function set_avatar_rest( $input, $user ) {
 			return new \WP_Error( 'invalid_media_id', esc_html__( 'Request did not contain a valid media_id field.', 'simple-local-avatars' ) );
 		}
 
+		$attachment = get_post( (int) $input['media_id'] );
+
 		// Ensure this media_id is a valid attachment.
-		if ( ! wp_get_attachment_url( (int) $input['media_id'] ) ) {
+		if (
+			! $attachment ||
+			'attachment' !== $attachment->post_type ||
+			! wp_attachment_is_image( $attachment )
+		) {
 			return new \WP_Error( 'invalid_media_id', esc_html__( 'Media ID did not match a valid attachment.', 'simple-local-avatars' ) );
 		}
 

From ba766195bed3cc86074d920b5fc816fa75824d2d Mon Sep 17 00:00:00 2001
From: Darin Kotter <darin.kotter@gmail.com>
Date: Tue, 12 Nov 2024 14:02:35 -0700
Subject: [PATCH 2/2] Only allow images that were uploaded by this user be used
 as avatars

---
 includes/class-simple-local-avatars.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/includes/class-simple-local-avatars.php b/includes/class-simple-local-avatars.php
index 845451a..6eb9f72 100644
--- a/includes/class-simple-local-avatars.php
+++ b/includes/class-simple-local-avatars.php
@@ -1335,6 +1335,11 @@ public function set_avatar_rest( $input, $user ) {
 			return new \WP_Error( 'invalid_media_id', esc_html__( 'Media ID did not match a valid attachment.', 'simple-local-avatars' ) );
 		}
 
+		// Ensure this attachment is associated with this user.
+		if ( (int) $attachment->post_author !== (int) $user->ID ) {
+			return new \WP_Error( 'invalid_media_id', esc_html__( 'This attachment was not uploaded by this user.', 'simple-local-avatars' ) );
+		}
+
 		$this->assign_new_user_avatar( (int) $input['media_id'], $user->ID );
 	}