SECURITY: limit route access when using external avatars

app/controllers/user_avatars_controller.rb

@@ -21,8 +21,11 @@ class UserAvatarsController < ApplicationController
     end
   end
 
-  # mainly used in development for backwards compat
   def show_proxy_letter
+    if SiteSetting.external_system_avatars_url !~ /^\/letter_avatar_proxy/
+      raise Discourse::NotFound
+    end
+
     params.require(:letter)
     params.require(:color)
     params.require(:version)

spec/controllers/user_avatars_controller_spec.rb

@@ -2,6 +2,19 @@ require 'rails_helper'
 
 describe UserAvatarsController do
 
+  context 'show_proxy_letter' do
+    it 'returns not found if external avatar is set somewhere else' do
+      SiteSetting.external_system_avatars_url = "https://somewhere.else.com/avatar.png"
+      response = get :show_proxy_letter, version: 'v2', letter: 'a', color: 'aaaaaa', size: 20
+      expect(response.status).to eq(404)
+    end
+
+    it 'returns an avatar if we are allowing the proxy' do
+      response = get :show_proxy_letter, version: 'v2', letter: 'a', color: 'aaaaaa', size: 20
+      expect(response.status).to eq(200)
+    end
+  end
+
   context 'show' do
     it 'handles non local content correctly' do
       SiteSetting.avatar_sizes = "100|49"