luos/workflow/engine/methods/users/users_ViewPhotoGrid.php

<?php

use ProcessMaker\Model\User;

if (($RBAC_Response = $RBAC->userCanAccess( "PM_LOGIN" )) != 1) {
    return $RBAC_Response;
}

// Validate transversal path in pUID parameter
$pUID = basename($_REQUEST['pUID']); // Elimina path traversal
$pUID = preg_replace('/[^a-zA-Z0-9_-]/', '', $pUID); // Solo caracteres seguros

if (empty($pUID)) {
    $filename = PATH_HOME . 'public_html/images/user.gif';
} else {
    $filename = PATH_IMAGES_ENVIRONMENT_USERS . $pUID . ".gif";
}

// Verify if user image exists, if not, try to get it by USR_UID, if still not found, use default user image
if (!file_exists($filename)) {
    $user = new User();
    $filters = array(
        'limit' => 1,
        'fields' => ['USR_UID'],
        'conditions' => [['USR_ID', '=', $pUID]]
    );
    $result = $user->show($filters);
    if ($result['total'] == 1){
        $filename = PATH_IMAGES_ENVIRONMENT_USERS . $result['data'][0]['USR_UID'] . ".gif";
        if (!file_exists($filename)) {
            $filename = PATH_HOME . 'public_html/images/user.gif';
        }
    } else {
        $filename = PATH_HOME . 'public_html/images/user.gif';
    }
}

// Verify if file exists, if not, return 404
if (! file_exists( $filename )) {
    header('HTTP/1.1 404 Not Found');
    exit();
}

// Get file info
$lastModified = filemtime($filename);
$fileSize = filesize($filename);
$etag = md5($fileSize . $lastModified . $filename);

header('Content-Type: image/gif');
header('ETag: "' . $etag . '"');
header('Last-Modified: ' . gmdate('D, d M Y H:i:s', $lastModified) . ' GMT');
header('Content-Length: ' . $fileSize);
header('Cache-Control: public, must-revalidate, max-age=300'); // 5 min cache

// Validate Client eTAg
$clientEtag = isset($_SERVER['HTTP_IF_NONE_MATCH']) ? trim($_SERVER['HTTP_IF_NONE_MATCH']) : '';
if ($clientEtag === '"' . $etag . '"') {
    header('HTTP/1.1 304 Not Modified');
    exit;
}

// Show image
readfile($filename);
exit();