CVE-2022-32065

An attacker with access to the background management module can upload a crafted HTML file (or other executable file) as the user avatar via the `updateAvatar` endpoint. Because the original code did not validate the uploaded file's MIME type or extension, the attacker can supply a file containing arbitrary code (e.g., a JSP webshell) that, once uploaded, can be accessed and executed on the server. The patch restricts uploads to image extensions only, closing this vector [patch_id=1641467].

The vulnerability resides in the avatar upload endpoint in `SysProfileController.java` at the `updateAvatar` method. The original code called `FileUploadUtils.upload(RuoYiConfig.getAvatarPath(), file)` without any file-type restriction, allowing arbitrary file uploads.

The patch adds a third argument `MimeTypeUtils.IMAGE_EXTENSION` to the `FileUploadUtils.upload()` call, which restricts uploaded avatar files to allowed image extensions (e.g., jpg, png, gif). The `InvalidExtensionException` error message was also localized to Chinese, but the key security fix is the extension whitelist. This prevents attackers from uploading non-image files such as HTML, JSP, or PHP files that could be used to execute arbitrary code on the server [patch_id=1641467][patch_id=1641468].