From ff8349ff3f0a88ed4f7ed6816811dc5970b5536a Mon Sep 17 00:00:00 2001
From: Lonami Exo <totufals@hotmail.com>
Date: Wed, 3 Apr 2019 09:51:33 +0200
Subject: [PATCH] Prevent download_profile_photo from downloading arbitrary
 files

First of all, because it shouldn't be doing that. Second, it was
buggy and was passing the tuple returned by get_input_location to
download_file which doesn't accept tuples (instead it should be
passed the photo object so that download_file could return dc_id
and input file location itself).
---
 telethon/client/downloads.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/telethon/client/downloads.py b/telethon/client/downloads.py
index 871713c6..85e6e15c 100644
--- a/telethon/client/downloads.py
+++ b/telethon/client/downloads.py
@@ -78,10 +78,11 @@ class DownloadMethods(UserMethods):
         if isinstance(photo, (types.UserProfilePhoto, types.ChatPhoto)):
             loc = photo.photo_big if download_big else photo.photo_small
         else:
-            try:
-                loc = utils.get_input_location(photo)
-            except TypeError:
-                return None
+            # It doesn't make any sense to check if `photo` can be used
+            # as input location, because then this method would be able
+            # to "download the profile photo of a message", i.e. its
+            # media which should be done with `download_media` instead.
+            return None
 
         file = self._get_proper_filename(
             file, 'profile_photo', '.jpg',