10up
diff --git a/‎CHANGELOG.md‎
Lines changed: 13 additions & 1 deletion b/‎CHANGELOG.md‎
Lines changed: 13 additions & 1 deletion
diff --git a/‎CREDITS.md‎
Lines changed: 1 addition & 1 deletion b/‎CREDITS.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎includes/class-simple-local-avatars.php‎
Lines changed: 12 additions & 1 deletion b/‎includes/class-simple-local-avatars.php‎
Lines changed: 12 additions & 1 deletion
@@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file, per [the Ke
 
 ## [Unreleased] - TBD
 
+## [2.8.3] - 2024-11-18
+### Changed
+- Only allow images that were uploaded by the same user be used when setting the avatar via a REST request (props [@dkotter](https://github.com/dkotter), [@justus12337](https://github.com/justus12337), [@faisal-alvi](https://github.com/faisal-alvi) via [#317](https://github.com/10up/simple-local-avatars/pull/317)).
+
+### Fixed
+- Only allow image files to be set as the avatar in REST requests (props [@dkotter](https://github.com/dkotter), [@justus12337](https://github.com/justus12337), [@faisal-alvi](https://github.com/faisal-alvi) via [#317](https://github.com/10up/simple-local-avatars/pull/317)).
+
+### Security
+- Bump `@10up/cypress-wp-utils` from 0.2.0 to 0.4.0, `@sentry/node` from 6.19.7 to 8.38.0, `@wordpress/env` from 9.2.0 to 10.11.0, `cypress` from 13.2.0 to 13.15.2, `cypress-mochawesome-reporter` from 3.6.0 to 3.8.2, `puppeteer-core` from 23.3.0 to 23.8.0 (props [@dkotter](https://github.com/dkotter) via [#319](https://github.com/10up/simple-local-avatars/pull/319)).
+
 ## [2.8.2] - 2024-11-12
 ### Fixed
 - Ensure dependencies are (actually) included properly in the release (props [@dkotter](https://github.com/dkotter) via [#316](https://github.com/10up/simple-local-avatars/pull/316)).
@@ -29,7 +39,7 @@ All notable changes to this project will be documented in this file, per [the Ke
 
 ### Security
 - Run a user capability check before we clear the avatar cache (props [@dkotter](https://github.com/dkotter), [@truonghuuphuc](https://github.com/truonghuuphuc), [@Sidsector9](https://github.com/Sidsector9) via [#309](https://github.com/10up/simple-local-avatars/pull/309)).
-- Ensure REST API requests to set an avatar only allow existing attachment IDs to be used (props [@dkotter](https://github.com/dkotter), Justus Böhme, [@faisal-alvi](https://github.com/faisal-alvi) via [GHSA-wfjh-m788-w2c5](https://github.com/10up/simple-local-avatars/security/advisories/GHSA-wfjh-m788-w2c5)).
+- Ensure REST API requests to set an avatar only allow existing attachment IDs to be used (props [@dkotter](https://github.com/dkotter), [@justus12337](https://github.com/justus12337), [@faisal-alvi](https://github.com/faisal-alvi) via [GHSA-wfjh-m788-w2c5](https://github.com/10up/simple-local-avatars/security/advisories/GHSA-wfjh-m788-w2c5)).
 - Bump `axios` from 1.6.7 to 1.7.4 (props [@dependabot](https://github.com/apps/dependabot), [@faisal-alvi](https://github.com/faisal-alvi) via [#298](https://github.com/10up/simple-local-avatars/pull/298)).
 - Bump `webpack` from 5.90.0 to 5.94.0 (props [@dependabot](https://github.com/apps/dependabot), [@faisal-alvi](https://github.com/faisal-alvi) via [#303](https://github.com/10up/simple-local-avatars/pull/303)).
 - Bump `ws` from 7.5.10 to 8.18.0 and `@wordpress/scripts` from 27.1.0 to 30.4.0 (props [@dependabot](https://github.com/apps/dependabot), [@faisal-alvi](https://github.com/faisal-alvi) via [#305](https://github.com/10up/simple-local-avatars/pull/305), [#311](https://github.com/10up/simple-local-avatars/pull/311)).
@@ -370,6 +380,8 @@ All notable changes to this project will be documented in this file, per [the Ke
 - Initial release
 
 [Unreleased]: https://github.com/10up/simple-local-avatars/compare/trunk...develop
+[2.8.3]: https://github.com/10up/simple-local-avatars/compare/2.8.2...2.8.3
+[2.8.2]: https://github.com/10up/simple-local-avatars/compare/2.8.1...2.8.2
 [2.8.1]: https://github.com/10up/simple-local-avatars/compare/2.8.0...2.8.1
 [2.8.0]: https://github.com/10up/simple-local-avatars/compare/2.7.11...2.8.0
 [2.7.11]: https://github.com/10up/simple-local-avatars/compare/2.7.10...2.7.11
 
@@ -10,7 +10,7 @@ The following individuals are responsible for curating the list of issues, respo
 
 Thank you to all the people who have already contributed to this repository via bug reports, code, design, ideas, project management, translation, testing, etc.
 
-[Jake Goldman (@jakemgold)](https://github.com/jakemgold), [Steve Grunwell (@stevegrunwell)](https://github.com/stevegrunwell), [Ravi Chandra (@ravichdev)](https://github.com/ravichdev), [Eduard Florea (@eflorea)](https://github.com/eflorea), [Helen Hou-Sandi (@helen)](https://github.com/helen), [@kniebremser](https://github.com/kniebremser), [Robbie Trencheny (@robbiet480)](https://github.com/robbiet480), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Adam Silverstein (@adamsilverstein)](https://github.com/adamsilverstein), [Paul de Wouters (@pdewouters)](https://github.com/pdewouters), [Ledwing Hernandez (@Waka867)](https://github.com/Waka867), [Tim Moore (@tmoorewp)](https://github.com/tmoorewp), [Oscar Sanchez S. (@oscarssanchez)](https://github.com/oscarssanchez), [Tung Du (@dinhtungdu)](https://github.com/dinhtungdu), [Ben Lobaugh (@blobaugh)](https://github.com/blobaugh), [Chris Jones (@heyjones)](https://github.com/heyjones), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Ammon Lockwood (@sumnercreations)](https://github.com/sumnercreations), [David Shanske (@dshanske)](https://github.com/dshanske), [Myles McNamara (@tripflex)](https://github.com/tripflex), [Jackie Kjome (@JackieKjome)](https://github.com/JackieKjome) [David Chabbi (@davidchabbi)](https://profiles.wordpress.org/davidchabbi/), [Jeffrey Carandang (@phpbits)](https://github.com/phpbits), [@Antonio-Laguna](https://github.com/Antonio-Laguna), [(@ituk)](https://github.com/ituk), [Fabio Giannese (@diodoe)](https://github.com/diodoe), [Ankit K Gupta (@ankitguptaindia)](https://github.com/ankitguptaindia), [Ajay Maurya (@ajmaurya99)](https://github.com/ajmaurya99), [Clayton Collie (@claytoncollie)](https://github.com/claytoncollie), [Connor Smyth (@ActuallyConnor)](https://github.com/ActuallyConnor), [Thrijith Thankachan (@thrijith)](https://github.com/thrijith), [Rahul Prajapati (@rahulsprajapati)](https://github.com/rahulsprajapati), [Faisal Alvi (@faisal-alvi)](https://github.com/faisal-alvi), [Sudip Dadhaniya (@sudip-10up)](https://github.com/sudip-10up), [Max Lyuchin (@cadic)](https://github.com/cadic), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [(@holle75)](https://github.com/holle75), [Mehul Kaklotar (@mehulkaklotar)](https://github.com/mehulkaklotar), [Ulrich Pogson (@grappler)](https://github.com/grappler), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Austin Passy (@thefrosty)](https://github.com/thefrosty), [Vikram Moparthy (@vikrampm1)](https://github.com/vikrampm1), [Alireza Salehi (@alireza-salehi)](https://github.com/alireza-salehi), [Vlad Olaru (@vladolaru)](https://github.com/vladolaru), [Alec Kinnear (@foliovision)](https://github.com/foliovision), [Siddharth Thevaril (@Sidsector9)](https://github.com/Sidsector9), [David (@pixelloop)](https://github.com/pixelloop), [Victor Berland (@victorberland)](https://github.com/victorberland), [Konstantin Kovshenin (@kovshenin)](https://github.com/kovshenin), [Timothy Wheelock (@t-lock)](https://github.com/t-lock), [Jayedul Kabir (@jayedul)](https://github.com/jayedul), [Quamruz Zaman (@zamanq)](https://github.com/zamanq), [K. Adam White (@kadamwhite)](https://github.com/kadamwhite), [Shirkit (@Shirkit)](https://github.com/Shirkit), [Georgi Georgiev (@lllopo)](https://github.com/lllopo), [Matt Watson (@mattwatsoncodes)](https://github.com/mattwatsoncodes), [Christoph Rothmeier (@Rottinator)](https://github.com/Rottinator), [Ravinder Kumar (@ravinderk)](https://github.com/ravinderk), [Matthew Haines-Young (@mattheu)](https://github.com/mattheu), [Patryk Kujawa (@patrixer)](https://github.com/patrixer), [Sebastian (@sekra24)](https://github.com/sekra24),  [Bhargav Bhandari (@BhargavBhandari90)](https://github.com/BhargavBhandari90), [Konstantinos Galanakis (@kmgalanakis)](https://github.com/kmgalanakis), [Jon Christensen (@Firestorm980)](https://github.com/Firestorm980), [Joseph Richardson (@EHLOVader)](https://github.com/EHLOVader), [Dominik Schilling (@ocean90)](https://github.com/ocean90), [Jake Jackson (@jakejackson1)](https://github.com/jakejackson1), [Leo Germani (@leogermani)](https://github.com/leogermani), [Viktor Szépe (@szepeviktor)](https://github.com/szepeviktor), [horrormovies.gr (@horrormoviesgr)](https://profiles.wordpress.org/horrormoviesgr/), [inpeaks (@inpeaks)](https://profiles.wordpress.org/inpeaks/), [lillylark (@lillylark)](https://profiles.wordpress.org/lillylark/), [Rafał Całka (@rafaucau)](https://github.com/rafaucau), [janrenn (@janrenn)](https://profiles.wordpress.org/janrenn/), [Amir Hossein (amirhossein7)](https://profiles.wordpress.org/amirhossein7/), [Sumit Bagthariya (@qasumitbagthariya)](https://github.com/qasumitbagthariya), [Sudip Dadhaniya (@sudip-md)](https://github.com/sudip-md), [Evan Mattson (@aaemnnosttv)](https://github.com/aaemnnosttv), [Rafie Muhammad (@rafiem)](https://github.com/rafiem), [Pedro Mendonça (@pedro-mendonca)](https://github.com/pedro-mendonca), [Adam Cassis (@adekbadek)](https://github.com/adekbadek), [Trương Hữu Phúc (@truonghuuphuc)](https://github.com/truonghuuphuc), [Justus Böhme]().
+[Jake Goldman (@jakemgold)](https://github.com/jakemgold), [Steve Grunwell (@stevegrunwell)](https://github.com/stevegrunwell), [Ravi Chandra (@ravichdev)](https://github.com/ravichdev), [Eduard Florea (@eflorea)](https://github.com/eflorea), [Helen Hou-Sandi (@helen)](https://github.com/helen), [@kniebremser](https://github.com/kniebremser), [Robbie Trencheny (@robbiet480)](https://github.com/robbiet480), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Adam Silverstein (@adamsilverstein)](https://github.com/adamsilverstein), [Paul de Wouters (@pdewouters)](https://github.com/pdewouters), [Ledwing Hernandez (@Waka867)](https://github.com/Waka867), [Tim Moore (@tmoorewp)](https://github.com/tmoorewp), [Oscar Sanchez S. (@oscarssanchez)](https://github.com/oscarssanchez), [Tung Du (@dinhtungdu)](https://github.com/dinhtungdu), [Ben Lobaugh (@blobaugh)](https://github.com/blobaugh), [Chris Jones (@heyjones)](https://github.com/heyjones), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Ammon Lockwood (@sumnercreations)](https://github.com/sumnercreations), [David Shanske (@dshanske)](https://github.com/dshanske), [Myles McNamara (@tripflex)](https://github.com/tripflex), [Jackie Kjome (@JackieKjome)](https://github.com/JackieKjome) [David Chabbi (@davidchabbi)](https://profiles.wordpress.org/davidchabbi/), [Jeffrey Carandang (@phpbits)](https://github.com/phpbits), [@Antonio-Laguna](https://github.com/Antonio-Laguna), [(@ituk)](https://github.com/ituk), [Fabio Giannese (@diodoe)](https://github.com/diodoe), [Ankit K Gupta (@ankitguptaindia)](https://github.com/ankitguptaindia), [Ajay Maurya (@ajmaurya99)](https://github.com/ajmaurya99), [Clayton Collie (@claytoncollie)](https://github.com/claytoncollie), [Connor Smyth (@ActuallyConnor)](https://github.com/ActuallyConnor), [Thrijith Thankachan (@thrijith)](https://github.com/thrijith), [Rahul Prajapati (@rahulsprajapati)](https://github.com/rahulsprajapati), [Faisal Alvi (@faisal-alvi)](https://github.com/faisal-alvi), [Sudip Dadhaniya (@sudip-10up)](https://github.com/sudip-10up), [Max Lyuchin (@cadic)](https://github.com/cadic), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [(@holle75)](https://github.com/holle75), [Mehul Kaklotar (@mehulkaklotar)](https://github.com/mehulkaklotar), [Ulrich Pogson (@grappler)](https://github.com/grappler), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Austin Passy (@thefrosty)](https://github.com/thefrosty), [Vikram Moparthy (@vikrampm1)](https://github.com/vikrampm1), [Alireza Salehi (@alireza-salehi)](https://github.com/alireza-salehi), [Vlad Olaru (@vladolaru)](https://github.com/vladolaru), [Alec Kinnear (@foliovision)](https://github.com/foliovision), [Siddharth Thevaril (@Sidsector9)](https://github.com/Sidsector9), [David (@pixelloop)](https://github.com/pixelloop), [Victor Berland (@victorberland)](https://github.com/victorberland), [Konstantin Kovshenin (@kovshenin)](https://github.com/kovshenin), [Timothy Wheelock (@t-lock)](https://github.com/t-lock), [Jayedul Kabir (@jayedul)](https://github.com/jayedul), [Quamruz Zaman (@zamanq)](https://github.com/zamanq), [K. Adam White (@kadamwhite)](https://github.com/kadamwhite), [Shirkit (@Shirkit)](https://github.com/Shirkit), [Georgi Georgiev (@lllopo)](https://github.com/lllopo), [Matt Watson (@mattwatsoncodes)](https://github.com/mattwatsoncodes), [Christoph Rothmeier (@Rottinator)](https://github.com/Rottinator), [Ravinder Kumar (@ravinderk)](https://github.com/ravinderk), [Matthew Haines-Young (@mattheu)](https://github.com/mattheu), [Patryk Kujawa (@patrixer)](https://github.com/patrixer), [Sebastian (@sekra24)](https://github.com/sekra24),  [Bhargav Bhandari (@BhargavBhandari90)](https://github.com/BhargavBhandari90), [Konstantinos Galanakis (@kmgalanakis)](https://github.com/kmgalanakis), [Jon Christensen (@Firestorm980)](https://github.com/Firestorm980), [Joseph Richardson (@EHLOVader)](https://github.com/EHLOVader), [Dominik Schilling (@ocean90)](https://github.com/ocean90), [Jake Jackson (@jakejackson1)](https://github.com/jakejackson1), [Leo Germani (@leogermani)](https://github.com/leogermani), [Viktor Szépe (@szepeviktor)](https://github.com/szepeviktor), [horrormovies.gr (@horrormoviesgr)](https://profiles.wordpress.org/horrormoviesgr/), [inpeaks (@inpeaks)](https://profiles.wordpress.org/inpeaks/), [lillylark (@lillylark)](https://profiles.wordpress.org/lillylark/), [Rafał Całka (@rafaucau)](https://github.com/rafaucau), [janrenn (@janrenn)](https://profiles.wordpress.org/janrenn/), [Amir Hossein (amirhossein7)](https://profiles.wordpress.org/amirhossein7/), [Sumit Bagthariya (@qasumitbagthariya)](https://github.com/qasumitbagthariya), [Sudip Dadhaniya (@sudip-md)](https://github.com/sudip-md), [Evan Mattson (@aaemnnosttv)](https://github.com/aaemnnosttv), [Rafie Muhammad (@rafiem)](https://github.com/rafiem), [Pedro Mendonça (@pedro-mendonca)](https://github.com/pedro-mendonca), [Adam Cassis (@adekbadek)](https://github.com/adekbadek), [Trương Hữu Phúc (@truonghuuphuc)](https://github.com/truonghuuphuc), [Justus Böhme (@justus12337)](https://github.com/justus12337).
 
 ## Libraries
 
 
@@ -1324,11 +1324,22 @@ public function set_avatar_rest( $input, $user ) {
 			return new \WP_Error( 'invalid_media_id', esc_html__( 'Request did not contain a valid media_id field.', 'simple-local-avatars' ) );
 		}
 
+		$attachment = get_post( (int) $input['media_id'] );
+
 		// Ensure this media_id is a valid attachment.
-		if ( ! wp_get_attachment_url( (int) $input['media_id'] ) ) {
+		if (
+			! $attachment ||
+			'attachment' !== $attachment->post_type ||
+			! wp_attachment_is_image( $attachment )
+		) {
 			return new \WP_Error( 'invalid_media_id', esc_html__( 'Media ID did not match a valid attachment.', 'simple-local-avatars' ) );
 		}
 
+		// Ensure this attachment is associated with this user.
+		if ( (int) $attachment->post_author !== (int) $user->ID ) {
+			return new \WP_Error( 'invalid_media_id', esc_html__( 'This attachment was not uploaded by this user.', 'simple-local-avatars' ) );
+		}
+
 		$this->assign_new_user_avatar( (int) $input['media_id'], $user->ID );
 	}