From 6ce9ea4950b8a053e49bd3adec7bedb8d6a2d4a5 Mon Sep 17 00:00:00 2001
From: Bjarke Berg <mail@bergmania.dk>
Date: Tue, 2 Aug 2022 11:00:58 +0200
Subject: [PATCH] Force the allowed avatar image types.  We do not want to use
 the Umbraco:Cms:Content:Imaging:ImageFileTypes as this could very well be
 different for content.

---
 src/Umbraco.Web.BackOffice/Controllers/UsersController.cs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs b/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs
index 24e5a77a23..f734d8626b 100644
--- a/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs
@@ -179,8 +179,9 @@ public class UsersController : BackOfficeNotificationsController
         var fileName = file.FileName.Trim(new[] { '\"' }).TrimEnd();
         var safeFileName = fileName.ToSafeFileName(shortStringHelper);
         var ext = safeFileName.Substring(safeFileName.LastIndexOf('.') + 1).ToLower();
+        const string allowedAvatarFileTypes = "jpeg,jpg,gif,bmp,png,tiff,tif,webp";
 
-        if (contentSettings.DisallowedUploadFiles.Contains(ext) == false)
+        if (allowedAvatarFileTypes.Contains(ext) == true && contentSettings.DisallowedUploadFiles.Contains(ext) == false)
         {
             //generate a path of known data, we don't want this path to be guessable
             user.Avatar = "UserAvatars/" + (user.Id + safeFileName).GenerateHash<SHA1>() + "." + ext;