kanidmd_lib: Image upload validators run before authorization; PNG validator panics on malformed input
The POST /v1/domain/_image and POST /v1/oauth2/{rs_name}/_image handlers call validate_image() on the uploaded body before the ACL check that restricts image upload to admins. Any bug in an image validator is therefore reachable by an unauthenticated remote client rather than being admin-gated. One such bug exists today: png_has_trailer() panics on inputs shorter than 8 bytes, or whose first chunk-length field is near u32::MAX. On a default build this has no server-wide …