From bc6364f4c0219a739d0da41e7c38dc4c5ad754b0 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Fri, 17 Nov 2017 12:00:39 -0500
Subject: [PATCH] fixed #6082

---
 src/user/picture.js | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/user/picture.js b/src/user/picture.js
index 429b67efe9..60991aa39c 100644
--- a/src/user/picture.js
+++ b/src/user/picture.js
@@ -3,6 +3,7 @@
 var async = require('async');
 var request = require('request');
 var mime = require('mime');
+var winston = require('winston');
 
 var plugins = require('../plugins');
 var file = require('../file');
@@ -53,6 +54,12 @@ module.exports = function (User) {
 	};
 
 	User.updateCoverPosition = function (uid, position, callback) {
+		// Reject anything that isn't two percentages
+		if (!/^[\d.]+%\s[\d.]+%$/.test(position)) {
+			winston.warn('[user/updateCoverPosition] Invalid position received: ' + position);
+			return callback(new Error('[[error:invalid-data]]'));
+		}
+
 		User.setUserField(uid, 'cover:position', position, callback);
 	};