From f9884af1148ae4355230cfa121fb5d22081487b3 Mon Sep 17 00:00:00 2001
From: Alex Vandiver <alexmv@zulip.com>
Date: Tue, 21 Nov 2023 21:03:02 +0000
Subject: [PATCH] upload: Return images for 404/403 responses with image
 Accept: headers.

If the request's `Accept:` header signals a preference for serving
images over text, return an image representing the 404/403 instead of
serving a `text/html` response.

Fixes: #23739.
---
 static/images/errors/image-no-auth.png   | Bin 0 -> 11067 bytes
 static/images/errors/image-not-exist.png | Bin 0 -> 11400 bytes
 zerver/tests/test_upload.py              |  43 ++++++++++++++++++++++
 zerver/views/upload.py                   |  44 ++++++++++++++++++++---
 4 files changed, 83 insertions(+), 4 deletions(-)
 create mode 100644 static/images/errors/image-no-auth.png
 create mode 100644 static/images/errors/image-not-exist.png

diff --git a/static/images/errors/image-no-auth.png b/static/images/errors/image-no-auth.png
new file mode 100644
index 0000000000000000000000000000000000000000..316263403166cb076579d5f0f23cd29c7f6ca40f
GIT binary patch
literal 11067
zcmd6NcT`isw{EB+O$0=$APUl@qacJPNN))xfFMXGppt-;fPkWOR0vH4gainL8iEGt
z3JTH^nu&md(n67rg!1C=z5nl8Z>_uT{o^F-OwOLnnZ4(mZ-0A|ZLLkY*oD~v005WS
zEn|BCfT4?iDX_89TWlR0o9SPt@7;0<0{|{w`*$(iM5=hw8yUjvO$`AxgQ83H8)iQP
zD+2(aK9l3{4hsMvH*98X0D8!<I%QSC|Ly2xV^h3a=B}W|T~>EN5U)W#^Qak{wu|g#
z<BO@+Qt!a{9^}qFX!shAB(QySSFcjhnUZDZl~NvIR+X_#NI5O@QXlp?k(+G~SoG%a
z?s{~4^95_LQ-srAWc!Z?p?j+}PaVJut_!1)lXVRZ4G;hztMbH&{;9%v5g-x7YzWXF
zXL}5IRDG6>0pN0phY`?VBEbx}o376W_$(aH1IW_&pMFq;1EAI%Ktg*h48HzURokW=
zbu`g_+_b+{bm9ic(`CG<Y{VWLy|<>=wvisnfAzzku6;!7-T}4t{Fw_k1X(_|AFYP6
zJo@(k-ak(`=lFK?YSS#$<0NXMPrmjtVqq>5s1&=`GLz0&dd#Y<o6Qz4TZge>>8Op}
zsk-TUwRPM6{^9<{$P9auc+4LLaCt|ztt4|42)y&{R1RmQHp_vj1he!gYI&<PQ%~-A
zGq;^TZogaHgu#JfyJhBRt>SWC0>+^j$ZS}gs01!5irM^9p}zO?skkF@5oehr-Sl;|
z_|}-LvJm6NVZ&VdAIs$&@*lp@jdm=vpJ3-mk*&~XAzb8P<dVi71oIvCRowmev@X57
zgoNplQqySc!7I=Nh9vJ)!^0ELPH%r~9uGX;$b6Y#HGvs2YpT>93qLws02VFnGNdNN
zKGsjp^@x41$+qjV^DRgC^WqiMGAQ1i_Oa2(lRlkU{sQ14_liDJf>$oaK_Y_LP+|mS
zk<04wmbklQ%CLcLo|Xfsdkahd*P(N8meFCG?upEU?Qb&bjR#7PV9bV|=50IJ(Da0S
z|FZL3v)ImB2T@>bjJjbO!pW#CK=U-<s5Fp2??o+QH7Mw|e4T8E#)iRg#a%W}ZMMf9
z+1XsZ<NTcc3B?sr{2eeJx~uHKXx60+Ou`*7&#3A{6E@2;@jQ8wx_p+Wli&u*JMSeQ
zh4?ElS?04e2reE5B}gdK9pTA}Nhpyf<y^6OQyp0(!S<D#Zu4A_vpM*ieem>$$ip~}
zBxVCoJiWWGS-NUz2DWijUAk#B-BiNS$%zBdNcXw#XUJ2G@b(g^d~WY#ul?klc--Or
z2j$U#qn|<-l`qw&KGx*}nb{f)Px@6zviK(QUbO8xC0*+G&>g(PceolF=c=8wSSHoo
z06qHk(uN&CwUcBv&t^%_y&YA#DB08)0|s_0{rg#wV+|m4mJvmd3B1z14~LumH(e_Y
zl;O+;pn|0?((&S{jwrg@yG+FqxcMfuQJ@h?xk*R`tt3c>Sy#^D^&b8y2H0lkvw@y<
z8ig_9^SNcMyDwWEF;^wrDco6Z{I_Td_WFFg0DtH~Xj>AzT-qAFCs672$81%>Lx7WF
z+5J)7T3^TG+QUCThUf#W=u9(rYGawtZ9n`yYZG_iuyOczt7l!FXZij2o^+AaGkW{Q
z@4{Ch&&}ie<M!xNgCOpW-kSfI%ojB6a4vLtFJ5#ckiVkDbH1p#GHSbN;<o(irme{q
zTli~>y8eiM^ThS`lURmgVQ{HF7t7np9K(29hWq{?;k0;LMUO~5woy7%X@GQvEI{lD
zrWvBLNhXRG-X{hc`z0q5wwd~D>N4`@FhRzJ$X6sZR92n~?f8@NI^Bi~BsXg7|6CZw
zS(1XQj!&z&Y!SfYPlr6-3Xq`Aq&(p0$0?x9Jhs{##84M>NlZeE9{zSN;`%%C!8*$p
zMYy#F<lFXxv08RO0NZ1I$sD%Y+pUB(1WT!t2cjuYqv^IHM^}{6tsI#w`gG%pmwOs6
z4sWN0AUkbQ9p1ee*k})m36oH<7=5k3FnN|d#Np%ESr=%+p2J8<yUp}NjqXONCds3n
z+BkQ}(X~}i=kv@vZdsMcN4tVS{EPZW>>3v;g!?}#@oOqa%v>TYMtZuyD_9KPa4=5M
z7emH!LP@#}*-04$I2?><Yg|LngZ4TdBID7X6=yy8Ip;pBSB?Vzm;w*%>O*JR;3t>Z
z7>^`)82K<9Nd;YI>+*ufbZ;q=ZFzJfH}C$#$7-6m0nZ|RO)bW=809dwZ=<ea{}v_8
z#WS5Ui7R)^!N_gXW=>+4ctQf}5Bfch8{nQSwjtepeSLup#airM%PY6hm6ywjMUW@R
z9LAeRg8kY%Op6)37l#|^pq)-oS^3uJH+2H)B7HqKYw<M7BmGV+9X)I0?NZENwf`Lm
zT~s(@$sk3CjnU!XbnJm>N#N@PUhu1fQ>tmN4iu5_*;D^{MISgAWd%AH*vZ=g3swMF
z=Db-#?EidPYUhVBN6-T?_o~NQtApO79r{XAD;v2}fQH(iwv{q4kM9Vk<GJrG18X(o
z?14-BKROdfUOnCBV)jkty{LR;Svgek)=b<90%H(=y~LR9YcivF=b1bp`VQm&)IN!?
z@91)MaghyQpVo~<93TFjoo<c3DMCjx1?~$su8pWZx>*-@a_mJyTa~uMGk~#&@ARi-
z&ML(RP1Il`5!;I+Z_}}^%{8YJ`b60hoE@K@5x+3CztlUUFX_SDCB?&(s}#c03{tt*
z)4{IrQgecJQ(wZ3SLNYSjTQ^a0Py}2k5aN=2mkk#>$k+jnV%3PkYZAX#&pZs#L4-A
z!qiKq8S1f5i4u>#pJmIv#d#NV0V{t_j_shu+dR=ZJe$=nX^qcfejMvMhrH(~SIvH}
z?YU(ku^8D-4@s}y46(Vi-*iwd^<9iu`z{1E5^1~MvTDTcQ7}fJDGdY`;-KW2RZ4Rv
z(E(SRc|lh$WTs7*JOhf2-kI_ndXqj8wm4j3R{)6$j2nG|$`Ctsgol#$woBDl)O2w%
z*#3{+pe9AUn0t$iGkJyF6a;HaCVB+q5`q=G+p6XSn_D=i<Tec@+*JES`F|)Ffh+42
zc;piIB6_t#zWcl3^*qLYxt%!pmi`Vrg7^jMlQa)}(6Kg@*>;jsPc3vr59IR#U&|g0
zS)lKlFI27CTiMIbi0g?eS{&(9vOxtIiT;#qX>D%A-9>ikSejy%7BqFbxp>-F2iHbN
zh#WmC9)W`gic<sCtY2NLUvqgkLi0HxsX(KRo_@MHw#b_@#NMweJA(lUWvk+~2^3)1
zyrq4+e7|T8gCZ}7`Ta);+6S-niipZzNDI^iPq3{Mz*?8P?+1nT8%VnrrzjiXL(4BP
zIry+!Ul};Fi2nULV!DLP_u5X<&9EL+(T>n4oT@BD`z7}Mu`beUo!8CrJ>KsHW~c@G
zIB%?xRaK|lucqWx2AzP8Dvvbo19RTM!NWc)zMW1_mVJ$-ZniE=_$mC^|53cUh0>#P
zdsF<V0T^GX#R4eUAGKvoxiePbPOMm&*OwZiPSj>r$wS2vaW1rJIu7)L2V*IRn@1`&
z7)BIC{VF}AP@KJ(2G~z|zNW8ZKoQ)+HE{O*SK9Evf#|;M8n^ciYmG=*TAHO0a=g%f
zM?2J<16q!Ep;Z*+Ri^AZ6h+fkn|s$~7o8AoX?mdnu)mwXd$#N6JPmBAk?XB{<GQ6d
zKhy!V*QIv`V@~rju%?crTPt+RRnVYy>*_3qabXhL5&Rz!1hU?87{Q=%AvOxT3__Kc
zAK?+r0LU)zS1M*i$|quBz9XKgbf%sO;n4HT0*U|LAmNW2Og(?K#?^#^>5jCEssNSD
zzzq~xBdX*qeTuA3C-7z_wmD7Mno`zJJa*E8dCi$nV6a9F{vxtx8FSS;tHCc7+*`8p
z%{ykAvrK|VNu{V0QksZIbxx|Pp$=?>?&j*H8+l?q96l~!+Q2^SC`8~TsW?%43l+JN
z0(|$HMgY6L3Apw4)PUg)QxGv2(w5;=9TloGu0&tVUVRFRm+X{NunPqVkZ)TJqY`%G
zA7a0Kw45ezm6;>Zf+VFTIh)@8Q!n%~4cx+W_NyB)zWN5_2&g|v3>^$Sk78x){?`w|
zbr+T3ObF_;ZSn2E$B3)v%7!(>2Glc8qCbw!qa|y~t+dXzXGG#KmQ%gX_Q8RlL_dXv
z4ZYE2$x7)_wXg<<VjiRz$e`4D)dm}oY4Gejv>z={3Vys_kdfs+6;#U^KF;92<O>TU
z?L^LGwVeN$v9`B9bCvvTVGOD0$}Vv({@xdt%DRC@13tCEQGw^Ny7wbfdD)t<fe%aU
ztmfTc>=+o1)wX%l8lEi_3{o`v1~uq5%1q<6!!V(ERPBga(x8cYWkFA$$>Whwl-UYI
z^=|5@RtOOarF{^Hyu>4ECT>s-O@1(r%Uou1+5KRic<Os=bi^7h3sP{k@s?VuOqLZd
zCj}|<T#NCd++Rx%p_hy|3-y%);1kuAmlqR@&10AOuCKqyPDgto?<2Dw-fqI0WJ-0E
z%)stA`)j0_t6T~s-EotK2CG@@TG9t469tJO1nA_}2X&OCyL)jgOg6Dp7)cnT^73&@
zPX&5mqYaofqPN-o3qlCaO{+`&U+r&jlLV!Fr@fl6zA6Ei-V~-zY71@sGuc;=gKGkk
z^WpC8b%OU|BI4x`nIOKx^)r>mXA?iZO(T+$%%}ARu>I!jRI*o|1rPKro1K}IM$u{N
z^|Uvo8uj_CX;yC`Qmn7hC4KyNGsS_ow<}kKz%N}`%B}@8;GrYvcjiA&#bu3_5WON^
z5W*CZ{BvA9o5m8x*lW|J=1;)x9A&|4*M086BNkP{?2D_|joI}`i>BwBOOynIX84~S
zaQDDx^%t~RW#bK(Cc`;LBkcgGs4jvx^d(EL!A~mV&zDzh#$OHj@SR8kal$thS(FE0
zKh!R>Fz7lsB$WcZ)N<q<l1nEiM=jyO)wgJGSV#?#yVZoR<CKa0{9R5Gz7rD;osVv<
zm2+h|*PeN-Ln=EOyZ=YZppb9aH?j^#+?8=x7km_3TT>&j-bPz9#Fc%x_p{62{&t)w
z?hM%!TuXV6-kVJml}+rbLK+1GETjisht({ZbQ5h(8js(8W{T%Y=jY7+`SJbl0%533
zm}3uec6qESNHwz179a8+;dn+aF^w{e%Vf7?&wxw)(hGQZ!{__)wNcc|^7T=xA`Sj=
zh!fMfeY1$BOgQZuI;VCZKOnfv+onm7xhuw2Bjs}64G`wm7k}79%}}`|$vgW?`F5rQ
zt55%Gi-Ga7rVLM!PDIG|Ul*;uI+&Gvtyt>K<!Jwx8)$CP;>hzFSG@uY%0}%Ky!+ii
zls`+ahXdnLX#2-kn`BBW3rCxhRZnY#IvFvw1UV&D{g!(fpym)g)^HSjPE#rq>>vze
z`dCK$<+9{N`B|k8ox$Ks0!DL{=32)`b_1r!N!Ok{$L!)>YlTj)pv-a9>--D$qY>n6
z94-_R`b`gm0rgY0y)wl76m{MN)yMN9MgAixU`+m7#0H8pfT<o%9iOE$xVeeFwJDJ!
z36DapP$h10y&JJde|~n)4!+i58NR}Jk<}>v&*Dhw+{8qUd%r4A2pJcU&8-u@B17jA
z?%&_tFa4Z@dh#Al6^Q3)rKb%{VF%kwUi2PI+jm@1l2iPEJZ{E|QRQD<Q96-yI#r>~
zv82Ez3_j1tMr)=sFS}$1&}QuJic9>Bvuq<ex+FX4OMM-uAFs+7;W^2-OXGSo#l>gp
zbYl<m7Dj|h$7G_)F*jfl^xes>N8teRv+D`tQKJMKotCnia2alwrjZ#XA1##_KbyW^
zK6NJH$M(I9u1h>`BS7h1i-&5?kMy5SKmX#n_|7G<SFMY|LEnyQp;125hM?`wBIqNp
zAX|#1?kLDUX=|Y~tPSd@;{%N0=D^?ng8U$zW++ATK&<N3sO<Ml0dL$I8q>ZX2YrhC
z-E3M^?-%GE5NR#~t%Anos%t_rGIF6sHh!+TO_;H$(T4E|UK_KpxfTE}r@;fVTVnJy
z#l0mweYfA4P%hdlhZGohA|k6CdxVYk<Mv#1t6^iAyI<B*{dM{<77he(HtKmsRhw3T
z@EuLI$4q4$_U=5e`#C-j4%(Hj`6LL#=jcgg`uPH6*ygV<8$m7lg)%QUXXH7G=?R~U
z+QHLu&Yn}AVM|2RFF@(hnC8c0_%5)usDK-aq>`LF<>1jx?Z^vyuXk=+UcvfxCvgQ$
zTm0X_j^TjeZdHQ@bf&O+utUX~w2y2~Kb%V^ZgnB6;PL~s6`%{e`X*K0A$OOY`7dh|
zVjP@Qso&XYy}Ecl{+|A_Qnei6hohq-<W&6465b!ld{=}mbOlDUxn;9Y%d1(-T77Fc
zCpgwr!qv}1mn!m2f&FOvjNRty%i;kiuo!#O_WCUisfY5d_V_y&$SY4L+Z3p9!XkYV
z-o7yS@CUAi2~=~xfeAV5^O+qPeiqNgh;T3oL8Url%TEGe`7%;!!+H?#OVu@caAzP<
z>&u8Lh?*mu3?hz1Xr$%)Ed@uMuxCM#zzgIHt+m8pIgwl66N-1|)}~rM9ntoBsri?^
zL1XTHTQ$y4qIQ<Y`iA7{{vM5MR*m|BV<1JC*d`mjVd`PEypSWy84)0E<#4SLUhZ!C
zc6D#86bvr*S<hL0ih92KR4fA6_ae54PRC%cRd03G@vxmTKA)u|?IYJGnq8TlBanS@
zsY^F({_C|c5=(je!u|NA*=9dCGPe)!ah!YAV}(+CVYd$t?^|`)3d>-#18BT32MOHQ
z&s7*aQ5(j&9ohdC7ZaV7({)DJ9WVZp@Zh)koZkv-=VBfR+OBurFZ!8Kvu-cx0jzp8
zvf_0!c%k^rE4(Pm^hWRMWS|bni0CvYuSg0_J@eQ+bM(2-;a^WmmBAS=;iV%%^(O08
z2TB2p<$0{hDHEXv)eAY=%b2e#-_o>31Ix^0ys=f*_ECR1Kdb(hQ&Ah=q%t<K)V@m_
z{py0cLKOsN2G;KfJ5y`>9?z|a;|IX;R$3u?0Dq6F!A`-noBcI9z2{!VZlrqf8@)w5
zOHcCR+3w3|VT>7TH2-=k{@x?|bxZFrSMZNrVRH8ulZtDytG+s;yuIVgEnltM<~x`N
zXdnSp)kC>047bBlclp!ZW;wxL<V*HED@wJ`-|gDIA9G>rgw;Puj!y)OwlrTC*@wRY
z>t5}N;bA+Ur=%QrR>@Vu5^Bt=Hj2>~R9n&<An(Kw8`sXr!n##6S$XRV8Y>HvL$3$8
zo7#U|yZAgrG$!iXrAIeQ$w|&q<axBlxZChd_%*i29G?#iKG~bqoOcY&N*>suY@flI
zX!pGNg3c?;^mg(Ydj&_$Oe&)WEIE&pZW>%gTU6JKH=M7p|4f&v#y{*z{p7Eo_xcv%
zc3vpmN8pjFySw`Mo#r7V?0Pa*o)YeA%eoe-r~a(NwmdIo$gmJ2Id^>weW1mvhiI-r
zd)bxiqy&J*g$dS&A3}KY4gv(}D+KlRCK!BB!j2NxyVUp`NS3Ke5c85qo6@s4nNH4+
z8PjKT|G3o*1qh`my5g%Nb(j8jD~EO)NQf2_&gxdX;8pp2<~Ih#0}d(*L}t0nDROpY
zsqy^>y68Y!BwYr)=h<hnZTo{HhHxqOfE2+=raU6EY!^3rZefL6g3AY+YNVQd#I8R%
zdk6Us31+kG34gMmZ-|zNA4_)$!*Q}g+^xUFs*IuPdHgD3!OHOg&PZWSU0N`o=v<?{
z`Lk|=su6}{16#xpTf$ND&=wg_PAw8AZW)Mdk#Jbv*Xq#avhYwLg0o@95NDw!d6Jc6
zBq7QMlrC8eX&b@__Gr2lZQz8ajCy+_n1&mYve6j(y|GrP&Yxbr%0L;?gxav+-Scoz
z&O34F!3*=?81+$s-s_S)+{Q6HGZE4vRd?*y_bInmj09Y*$r5DQ*)YmvXY3mgYAw-X
zxkB-|jreQ&w$ImeE>w8dYUajAsyvFtZ{=jt7dY#8zUk`k26|T@b5?haeE)Mr*U@Rg
zC7gID-$5ROR{GI(3xd!e@Ic?8I<pHOs{RanUx&S^dp=&zHMxg-Ha6*{*{4FDfzmuL
zNP6dN`kg=xKhd+jnRAdUu^Gq@-G&mP&osxB*gc~z@R#!j@~W+4Bs`fkBECHKI!EDI
zJ8r$ES*A)O{1u1p0^&%+5luUn4=u%2zkuB8<I_U;?H9fWX%DJAnta>~R+uW+$cl;C
zeFND#YeCVJg`I0b&g!q<pot@|#zeh6s_ytM8<r84`;GGlA^M+w^6u{Dd|_xtRo8ZF
zx`<ZBNlnmFxzB!@5543tx6`^mn_5bwXwk)}k<A^T9jkAgMc=!82okZ7>Tx(L^Kv8t
z7wc0)-mQ)KE&mC4@^?sMCN<HkJma^&+L!X+QsUyw$?;yn(E3zM1TN(0D!NH}ee8H2
z8d#8NOIxUtqhx3l5P*G;juuwb@W*Iz3y$^mxD%R;Zg3GcMID{F*lP5Y``ip|de4ON
zcE~X&d&m7~rpSWK3T?-C4sxZBZ_%aX=<GFZQ%P{+uAT7JmTB1W$pY|1XuWxNRs3YX
z_hDT6c<sqIxSv{(e}4EISF#M-L0Bgw!9h`50ahf)GX*`+IlR{FQ6{nT>&weufzlib
z$6aYwYjeAFq7Exe;v*|5lG;iwO9CaoN7{NOgHzy3p25@aFWQ=jSxDY5DwzC`@Wu*T
zHut-#$$@BkQd?l;pkDX{BZ2rcuDu+n2|Hd=BRzD)LU$$-#?MYP5(tE~c_IWxi#!c|
zutLBPBdtC?@dc%GKT{=VpVnDTAeL1_X_6>d-S`wn)hIe+BwP$0Hk}`t*;b3tiCA;n
z1nFzq{IXs9Rh}Pi{<6_;2)`CPqTXKYAJUtBoE)AJBm!&H;);?c<1)bvle=2*AJC~7
zS$fjljr&RB?G21KsMm@1fR}PQpD!|ZZM*!titk*Vy^aA@2eX;t&Ir2`B&OFr;Rn?r
zgSM7*qK@ZJu}?f$pKjG5KXqQcZZ=jCI!eOJ*;7GD3+3PHxAEVI6y^>+j7j0HsZ<xi
zuTU1oS-_YJ9-%zO=>aHik9~R@l3&k3(61Ab^N=@?-;e^@HtuAvGWaA|raRkvy?wp5
z+>Cgt@#cSOZy3A(y0r5DQI*pa&^HNRnY3G>G>0A@(ABq3bG?}yfWMMFgWu@PAhrAH
znapEHbPPS{8A*)@+V1Rs7&4vpQgwMkrU-DD<vAFgKmLaw3ksv+iL-Rc=2KJ9#5<vX
zRm89|&M+SzpTnq=<D*Z1w-!wE)dX@gDl@Q)CVpG<1Erp7{8y}B3C_eM<G~AJS@Lhr
z4vusto|<SaZ-J?ktP+Vfz(P%^T#})|r-b4WJa=+JSd3V+(C5=qUDxHRGNLwrnZ^75
zBhG%)=Dj7^Z^2^~;^MDP=u-JPqfL4hMx!<-7L+dOm(8|tYlwMg&V!oITTn^3|BU}`
z&Fxn0SS%pycVCXzEhTq?I(N)&8qa4Tde08%f1=RHOkZ}E@2#<t=fb^<rc&b<kvN>y
zziiN-#{cg6dX^63Pe9h$Cbdzbr~3A?3C1XXh@O}|QTs&~IX@XmeC#TDa_Nztod(26
zs3tUU8ovcUJT5iOOra~QHGk6z#$8XF4h50JD<(EI>{E7}_<~p}dbF&tvPTD>w5H9D
ztj!4@akiz!n&7T+MFT3>6mCQF5D=x*7>$Y<^*6#7^ZaLEZuUfzZTA^2X}C^b2FfGO
z<MoNdpv92*`a3T21k)+*YMm1=BW0U@?FYX;7leo$$E-GFLeO}JrQ12NmA$pW-=1=d
z$%U_yo7O(Oqvt3D$9K2;>Wj98dw#J!=CXcs<NC4d6_jvu88Laay_S{TZiO{Vm~BT)
zQD^sb<4LkA92z$D`Qozkl=LLkP#3;DTCg`dSst*>?-SF;7eN`X2h#%kl}KpUCt_8C
zwmXpgB2^b3N9|)Pp+da{)7k(!>BBAmx;<VyTI*4e;m58Mk%n|S&vtZuHWR**x1Jk%
zNxHJM&E_g<KqT}-eN7alt@McSaKmeL_v3niE<4BvJg;{Iv&88_iPj6qHYa@R@jFnZ
z&Mv~eJ5Ll`sxfO;o%(KIOSY(fsivit&*l7&d^JBgCZq4HK%yBxQ?2;ZMoX8cC)wO{
zDwEu(_^ga%RRTd>l{`cz_~#JBzh&@TmQL018w;Pze}}dog$M9#!`{5nLqr`ymZ~S<
z6IsZUmqmwV8`_P9Pa~!y{rIcxYb->*$TkJKQ>sM3?ZK~`5pMm6+w{>$b+NMZhc{r<
z%lNLLvd>l()p)eu-Zr34+&o()4bKgU7=bjW6TE8S3oe>zNONDp<k2QIn?;w!6lw#$
z=Ro*`>B7TA6}Cni4#OS6Koqm94_e@G=kGtducnPP%5NQdv<;zBs|e=#?`F;`Iz^n|
zW2)G9dmC%RDmnT)6s>TtwKcW(wt-diYEe+2qq(DYka+gs+aa0=!|SUD!R{yhTq2s)
zEs=H5k^08vzK5LD8Wx-W3{=z@>;BvYrmAtFAd@~uG@^D@qq-n3Y+>-+qIi5=JVq*}
zcsM!##pxcMRy|eg7Qq!p`=rh3=yk08n2XuCxei{}aex<CCEk)p$!5!Wz62+68Cr7m
z11Nv;+jqa5I^!eZPMX+tT6!A@6u;4AiFL|H&YVJ&*Xl2-g^4}QGYE>tDRE?xGirti
z2cApCtHcfly}9P?6fnAtzv3ha7^6)|e^OfmCXBKeioDaO+DGk6%m%!Nv?Vk{6L(A2
zdaS&76sqjUf>@+qi-(J4vltBp0%CYTj}%*!npVkIR!bLOO@yle3{NVAp~ZYH7CRL~
zKMn$a6{mLOT4&#%&~+GPnLF_SAI$?xQ{Q9QO->rqY&*Y}TezRgJX52h`&54kw6`+E
zdP6yScSZJ~_$#R#?qD_~Z1c5{B?-d`WYuoDz1^1J>Z09iaxpv%Y)YL7Uz{AHce~qz
z!&ap@VxIz);6n>AJ=#|3O61#e%+5ou2{DJ&(vy?n9;~|na~Jb*g3Wt<?<Rlo{9JI(
zz7JYq!VdsWl<(~Tf$6ojvJExFyu*1m@3EOInU_I??u?<wczW5|vimJ(b@2~}^AGt&
zy>=qZwR;N**$j&gL*);#qwd`sZXuYyy`c{|KoE;d(BxcuuIkO)_N2K1z5@dZOCFI3
zb&cRWlO}&R-@tq6l-mMzv%6p)-ug}pg|m)L<Silc@Vu*~uBP6clkbFS`SG=msKCVh
zNQ=s;XGLaa3;VD2)M6AV9;e{($`>fvBK+;EV2W66>u99hT)MM4lL*d8!m?P$P5fa2
z#uSl+Zuz2zx#=y7wYmo--0H`~^?z*hlg+n?3ALjcfBIUNd1u;-AdlGLd?>WG-|}jU
zl!xlp(o9(&f_$i1n{IV2Ge3=6%;-@~<{z$xl-At8RV}bu#f+oN#v3zz`Yp%{7$wQo
z)KD>zQ)#<WIz{nRFZ_alPx`IHPeU*ub?GlM^m7SrG;>gEDuxTotZRh;aZyFbn<@v_
zqmUG-AD?>MWE0D2kW9=_PY@ka^y21jO00;-D?bOTke`6*%Ezfr=NGRYw-3YY_65Qb
zG8~?5%RRX(F(xI?HC7Uof{ayvEhHKhTW-;7o79737k%7#BCMhY9b}&l!f1~*pDT)6
zhSWy435A+hL2lCKbkc(ar|dMy332}JVBO`bDHo>)oP5w$L%fJDgIX8<<R|T1Q8$Xy
zyT-4nXzx<jXkx#7?Y8Eo)!OKpt#aT|KtOp^kWUp76U*HrJuW^{AziVY|2D&PS;ml4
z0O*#@<|-33Ev7TMI|adgy*#i;HTPk^C-B)@qFU~3&x;0g6+BdB%YV!AvgvpOQQN-P
z+jG51Ogh+Qsi(Nwq1Ec1SQP}(5%{*FawH69MTJcGYq3}0-J*8|L#>y!mub|p%Jw^A
zfsXWJFu|P=a|r9XDpN$yn0nh?*EUj%WvK%eKcOnXu`Ra&))iMjNLy{W%D@eGZYpW4
zQE?>y$!|?Jf4e;Tilm0N`1bkg%i+kHV&9=qtegXI1Hv!Hv2(h*#b87gQJIyo(QPp1
zZvn^3dtW)w`zv=#WW7GLe%YRjy9}f5ysJ9{=s49iYLLAVrx51U6cGFlC*!V&Mg<$c
zX{)`C?arLN>%}t~1@|U`EY#AKt}ULD>Oz8E-vKLV5>u3zfy*h|?ur<|uf#MZVhvax
z4C@W-Mklj$U=|Y53b*9ve*E<WDwIxy8Isg1x>Zw|j26EkX273ftL+p$#@=fBVqVY0
z%5?L$-O0z6uG1ZAD;Zpg8FF8d9^RV@aJxM=YJ{liWsG)6R(6cW?Dz-kQX(|!bB&mI
zR~v0;uS5nu>b)XWNbU~tDLT7Q-C1rPjSqwr0z^Y49sCA5w$HNZ$cVHzR*tGyUVD+M
zYABM{Y!gd?s(vRdB=+R8A2FkeK3S{UDs!&Ciif2yZPQ$|gn~otiFJVwJ5^%^8}(>y
zJtB9pr9%O&!Ci9=CdL(}5-a)<39-Qj?swbzydh&^_tj%HsMZ0e%Q<QS98Z@P|7J>`
zsU<v`59O{lYFwhxqoHU*lBi+__al9Xoh@=Q8w3w*>`%Zgn<F_|27d~=CfLYvuf2)l
z3IZ0?+!@#`$$tQ=krA|>Gl_KBNULL-N~fI#$MjC>UHOro%~0V}0PMu>yc)RUM;(7s
z%HjMvZ6_KIhmS74trRw+&AY~<2j#?Rd<Q#=-)<GH43hC9=yD?0v(@&DbSrN)W3q2y
zrF*YK#O8)z%G7Tf=1%~q_3Dd<hdZwE)=TAc*svjC{=dtnGl-Imo<}=HV>|8|121RL
zqbknO1DUznJHN&87pQMb02Nf{i8?ew&NWlFeVbeKT3yIIfA%Gw@G_2W#yf?Tumk5>
zE4RSlh7oD2m#>9^LiIDv1m2Q$n~K%Og=+-=^0R5#0sAd6BFR#*z7_Gd0l#U`1Mi9x
zmoYyV_-zNZBhim@p`CRpH5M$_fX)8rfD<K)f@Lu_u(l=bN|Dq4#2{x>AOE;&PKd=o
zh45+x#^bxf+9>>a(-H`~YMIa4o1JrLFZ=;ym8Q)#ey?OO%XG;pO3p}LWWzW=SGQ=V
zdPhd_9#H347A0n(HU+@HkF>2@CJqg;?mPM&66B&4TQD%Eo|>N+L`J6iW$u*BKoPyx
zREXkmvbn_lx+(mWbj+Al?uayw3!^>4BG~*%dZ;yW%a_U_iTAho*4(h1Kl!;ll<Wts
z+MU5qU<Ub>z3$;L(l5!IS1$zRC}W7~Xrn&u;L*H?qD|bZiMy!&`wD!ti<)AW5cpM3
zZg--KRNgfY57K+@MDG0_Wu))@LF@JztBC@=a^8|bS)HQ35bMK+OV~@l?;B5PR2PkU
z*RE4mq{!2n-F?65XJ`N!wZ2UTBMu?@+pX7r6`0@KJ|{}gv=}-zhL%Ct0tma4>`K=Y
zj-cuO$RCL}4JDW#4OJEp&0+44M|)F#0*wa$TK@XM+&}s~Nvm(6OGtn}*F6}&H~3gk
zFAjSxJcR5kvC^}t7^T7M7!x&FqefZJo|1v(170uZwm(bpG#3VdphlV<;QRZqg~grJ
zt8Le!LMlwIY7Td9Eex5SIQ$_k@E=acYz=Hglv%aAe-)p)0+6s3@5)y3yu@OWZf=yD
z{Hcp42*6WuQY1{6)IVhv+>uO(7f^PipT3m2bBR>J4hjn<myr&zazv$<TV8qeA=-Ac
n-s;_aJ0|nL{*Y$V$r&<b$U?J}lZk%T6<~JL+PKEhGvWUL?@Bxz

literal 0
HcmV?d00001

diff --git a/static/images/errors/image-not-exist.png b/static/images/errors/image-not-exist.png
new file mode 100644
index 0000000000000000000000000000000000000000..3be38e421ce35cd1b964b41df8f5d17174d51462
GIT binary patch
literal 11400
zcmd72cTiK`_bwa|1VM@lf*{34M?eXPKxhgULJNdm1f>K5(xrqZMUmo15R{Hc=%I(+
z5fr6{ngEebXaNEQ2#}l4@B5oO?|uJyXWp4R_x^Dvv(DMsXRWpO+535(wci`)>9Dcz
zu>b%7wx>@X836!vowQ4e`8@580kpb~_H*I&6LW6>;KqZ0FS^Gma(1+vblyffngG<m
zbpp*`aMA#4005PVtS2uR0RSn1r;jv@-_UK&=>Oq1J?-6@69wZQ--6!+r<-9e<06rt
zxN2C3;y;cuTtyCjt}ry~tg^JOio7GGtFD-@JQ>dV`K~ecF`E<?Ff76e*OVIz`zO*?
zEf0?)l9vAb`5NT3mA%qzdx0)%W%lcRC&vN*fv+T|u77Un2tok>t~IIz0KlRx%mCnu
zS7!!@@r82&4CLu=0CJoeGy&?v%#nbwZ<m<q0FQ5R(gR}uZ)?ae3Gm+UzM^kj-g02E
zzfnC1wWS_UtY^=(g|;0pCg~Tqoh-?Wsh#a4vb3LYGKVW2Z~3=bp8jQ0D-;Yp+0h9h
z_eqwIYHTNlo;d6msGSzk%L*}Q+UXr^%~&E<l<_X7aj<tm2OCAyRv&^9qg`<GErw<F
zjxtH+Ks;rZTs+g{Zwlzq5oXXn*!?Xt0sc1JMm;62d4y6dPi<r$cWg)T*c1ZdJ|GS4
zUKX=y3nBIlXZDKp?%9LCv82tCX^qz=+Rl6#?NmmY!!H#njRr>ZjnT_k)yrOp_@;M{
z*h02BRVG^EkD=uvCV<mR%;Eot0gAPG#Qy>t-t5fZQo|_7FVeR^V2*5mvX>w;etzsW
zRzYvOJoI$^7V%<j{HU@vpi7vO{?-#l8Q+AXQ(`Fo$QqcwR-J|Bek&37f|im?-_sre
z4M0xgy!^(*A{Y5uFrb<?*5@FDgOeSPJERK~oaL)^OSxg`7YhK<v{28d@ZH^M!k?nn
zv{au#@VQXti;3#Y7YkkLyR)e$E5$NnEDpWbq9K5;f4lkWSpO*1*ju7YJnRL{{czp;
zR^M1@#tzM(`*ZI<hUfp=xCU0X(v%!++aI^w&qiSd{`~{Z*K6SWR+_-ZQwn*aWMq9%
zKlB(g&Mr&yt4B+i!BKYe_51#G#qy)9h@6n|=sB+c%1d$&@7>`jnz2nw(*I&`^<4kY
zlM33C|EHm@uT^?iPV(OnZgA48vQ;*Am-6b-U5rs@-jiKiyIgJmfKm1${f&<<m%8pW
z%4X1i5eVn}S@Ul0vNf&Qp9FR0mu8Ev-`}M<=16nwo|ISpBOY3B)wJFOQeOPWz|gYu
zzZlXfF8}?6){Kqj+og25^pJ5LTI^@ck?L>dVxAX5i{RJBmiMa7<ud43JscSSULx_{
z&3(ba5{=#B)EM$0JE>93_YW5m^+S*j=6hds?92^sF<f2-($ZFc<82Pj*Hu~+3?;Jv
zNqjJarm$JmfBasgIW(X`dr5;4ajPedJ${Z$UGU*=0QLUh*qtoI!PJ_l+R?A?S|4D!
zZO3EfYyQz%M&781>;i`q+6&h$ZUJDC?cFM-sgq6q#59}CPq0s!+%)Ii88ma!sB4#t
zFD;+AF_-Gm)zDrvc4C_Pu2%k<t1T@_*h|cYDs19k$gkf&PrX}Kluy9($k>$jbiQWE
znVLX*;Lk`bVqaz_;Mf|M{z0zfvoms=slyTN%Q3NT@+)JnS9G5)B>S(Am%*es1XT*D
zZc|mS`Ul5U8so0KJ4bp{ZpZ}&M^>6HHA7PkIE}$@n;IGL)xU|R#5<pv_Jkk*a^`zH
ztl%+w@^cUh-wqbyQ<xKH9&tIJPjj?`^Y;zulF??QCohu$AN`Hk6qdjp#9ZK~hv@z5
zhvC;5G`XaKFXw6}Y)ZyUMnAsKHEjbx*}^#=Lqz`>4bJdr*&lBV^hf%KQ^-X9fsAv>
z2{w6RHZahDsZBusSrXr2D~yXF-LcF(KR-XLl9QH*{@$Wo#-bxdhcGLBE(Y^T!5kN^
zLKpR*r~Q!+p|H2@p|lY_(@BDqL?>G$y>2n!FpN*iSWyqLn}R>^TKw6?(jGZmgrMN?
zsPxAZ&()2?CMW~?prc6hmtkRiH#o%%oMVB@e;NAPmH*Ez@cfceQKH$wRoDjal||~m
z!$$=;*SSuh*4~R|6;ctz*_O3aGQK<v#2ootQ*n1|rb(3A=0g|}3pb#=*=krRrloU&
za(F@-EO}MsyFL!19Bl5l(H71MA41pe@VP~dzM3`Fa)LFS6LE=|waNqE3ar)R7A(-q
zEKd1RQr>DIpz`MRE;ZFAu;^jP$s2(hIy)(b&Z{h3#AcEnP=2g?&uNy+Y@X^H_uFXQ
z2s{Syu8de<5(+k;Yd2e!f^fE|?Qj87iwJTiq&yd{_DSYQ#vS7HhQQoC!+zr0SV<B!
zaX*U-ppvF-DdxN?V8RcS5q$94ZkPHyRmQ)yG!a-G(BQicMX12oP54qaXVOP}4mPHq
za;VR;(SKp0e-VR1HXH_V&;FjxsM{di0?>aEP1F9L+c0J|cBttIn><-dc(l8SU8JFl
zb<ce$lzOm<+Yjox8|YN$(3`OKgU7ZsEA;FLNSPq->-iKeL)lU*{3EfBmQL3~Rd%Ye
z(T>+EZ`^DkjGftrp6>thTx-eSbxHZflzbk{mE+TWf@y#>I!&QbtZb^oudm=x2@rz&
z$mhCGeOgN~twEdE+Toa5`OVOA(xs`RVSGvqT4-sQvv<mesux5xn_X@0b?qC`O<WJ=
zPq?nMThTe{^CI+XOcGUJSz9*2yk>KCWi9SXFCeh-FHp91y)#>+tZ_=7Kc2BbWNlNa
zTUWO4oaCO5Rvp`+X@|YQ=M$%WZ?ND{vSYqsrq_v<x*mwER0lOUBDAH6sjduWm%n{}
zmpdegyafk)@N*}x3}ik(yQ{ca6ns4vrKE;2icQd1Ss2RIN|Gy75}4L?7lfr_2j%Gu
zapR!iif06G_|j}riW)<=`zUkj7x$Ypi`G2NES`+@S48zLVux=R$lfb{N*Mf=B&s9M
z+hn%==V>)4=x}@PVVT73M*4zbKVLU%I?1}6UBYkx$a`5ADr=luOxmm?D!cr6f8p4`
zLcU4gv;&^48o1{yU=UL*u=d5rO^K2SECqQDHcV=LI@=<BELm6Akc~m{j6K_zo$%uz
zH;DSiVV4P*0v<1Y)Mfg)Pa|wwGH=G}jh_@(KuGb~Nf4i;wH|($TMo<3w$M#e#w>TS
zCd2(}+>OT>2jzRxYtfK!WM|**BbQNwtFD4^N3W7H*2&P4QGb+GgArA?w}dEGZ~2j%
zJIlJ`8J@&g3JixeDfnpPYJ%@S)0s&2Iv84r`C`@lrgF9wF^JwwR8;t!Kaj+DBU>cB
z3De`h=8r{rbV6UKJtv_Gm?C%?YT@}EyLxSPNZsslt7DYV?n_FA_ie0uv*Sj{&xT$j
zjUgL{N!1OafHF!o=wP($ocOcn1F9~Balcx%2s=euguBF6qkesfFMG<N4!RVdjQN$@
zpN%mkBj42;r+gM9-$})?T$QZh0+^T`g?&3QdWgVOfINti#+=0lJH5_~+m#NzB2ld^
zscu1SND=$7<h`%xr*vEfp9M=grsQhkwc>%`v6~AAWnrT`xB%nE^fb-*h-MC{J{^JQ
z(`bRzr4J)z?f2H3YagQDuocjzNZSa~uG9`A%DYzmP)}w|s%RaHx`vm?llLpTn1?tN
z{?Zt;d76VJt^mgISPvKlB=&qlwdlkUl*`|uO`AyPf&L1r!#_H0qMo>WTk%khvq&}N
z{O;F!sN(v@Zwf{(v&ynYNXVznR<1c!$_`)g=g*XZ>xW`lbjM!LW7=5CML?65jW{&1
zoMXLo`1Y9%E<t0c+HSo~4ZQisOnMwLTLWy6u=4@l(XPBYyYH@dR1(9cuhF&%B5_!L
zlShyB`DC17T^n0ZR9!ea!A29(X_uH&lVPk%iUCq$SpmymVa$~-9^8vQ58fT+2X7UN
z{~($H;7Q6rtKgr`L2W#t6Jw7`)Yl72U0MHvm<d5j{h?TN8>mT;6Wc9ZrZQ-*_cS0?
z8IlBCKPE0;ciK=Y-jr9Z=w^zT9*{UQOBXboSAIc*PW9itaQh1@js&r}AEKk?SqCe3
zL=U@9`hKmLePqkzsZ7Bd<K9vFF91NBU;%^q3ceto%q}Ku2K!yGz1=kja7TS22#7qC
z9px%DqEn3-)UiHS<m$#v{AHpc{K!ZuV{95T?p7y(M0^s=gSrXavky;!EL=CbXoraQ
zTx7uB9rx_^@Qz~_tn3LSE%!^LZZU<@{CwTx+1M}vKCzOJK^W8qdHoEbyOURa@zdTT
zRJ)U6vu{b=^7q`p3n`klDoX_{C>MM|K8$Kz`<K_w$o@q!aqrsk3nW5K;BB8-%k_nG
z+W1qewh+XwtaGhGc0r{Gd3&yFoLmJr3MdL1349y7FN{W7Zv7%$V*cm5qhd>*F|qD}
zZdYR#F6errQ^8c6%J^6)wD?6K)IRDv%Mx0o`|xfFLFI?0qJIX~z&;F?e#z;o5(gvP
z-c|Erq@0jR$%ig^#~0+68HXK$s7Q@H%ni<O|G2C8-X2bJ+<=R+d_3;zCyQBTNt%!#
z;l(N~-Ya_6tN#0|d-9G$jZ~Z&2FWhu`K6tgI1?>vtiSR&y;oT|{c&FpmzO^KTlIH(
z3Y?QH8)nY9!RU+^FF)ryQVsrMn(B<}$RNhTh^Z85OA%sIsq9`<7UL6J*Hws^o-!A5
zPg4<yEFYvm%S(PKuVlT1ex-rTm(`wcB#g@{;_v4z>Mgd|{MdP|K>Gc$R!;TxVfZ1G
z(_%XoSc-aaM{X5yI2Yrs8Y34LXQDM4vJsf+D72$2ho7gyy|(3!f<{p1l(m6Mlp==V
zIGeoHe&j{S6>#u;f2O5pODs@>tw*r&sS#r)w_oeFiH1OLC~dH!Jf&{O@I@p^7W6K1
z2EX>;`!*zklmtnwnrLSHwYMp~V%aR}n?VX$X^JhpWDkQ59lKAH?mkM5CuWQQxhLdL
ztnv<8pG0NuhGLN5eW$J27E7Ly1`5>U$>6M9|A&MwfBGt$5-kosQ?~wWA)vrA==)&|
zhfAO3Qqv5p5@v_3-|=Kv;%-Xz#mZIfc+UHzmXl@G^X^k|s<#reT}M+|jOJWP5o?KO
zGX>jYN2HY@vSvoAnI*r&AK0HO{fX(4<Hc!$T=uL_GphXs=i@XlHWRgJGd?@Lm*=bj
zWBpm!|9v*dp?|&;rM1IYQ20J5t3}BH@XNYKV$8ehX=(0ykW#n=5NP>FX2F#1662mr
z?`3Vo02BG88iS@vXBvJU#sJQauXaiP!&HC@C&AJ%EbJIi<>0+Kr|;zFXVX(@G1e}S
zaOFoDLg${qKEJECJ#8gY${+kwj~-45Y2s;qFx8Tp_QX2#rx!g6m5O%R_9<Ib5$@i}
z!yH&iUm!B?FiQe_NyQao7>{Dn7qHUl$(F^GOco!>3^<?E(tEH0oP!;6S7JQ~WC0h`
z3lUHgQudS|rr5MCCNp-uIol69)gzEgCI@$IhI>k32R9u8UTR=r3KEOH@MCtZhT1y<
zZ|OgCR4J&>jBizwzMoPSt^k$&1qwpSPj))=Db=t3Iq`w-1P&dIq$U3|lY}1lzVsBM
zO86Y2zbwo-f2mcrjxls!N3on+yXaRgZhThqF^o@&TNivk&TN8gw(k7RZtkrK?4o&W
z*{w;1D<6GZ4P|!;btJqtxCl<C6w_MXyj`oJmSh+!?Sm_DEL3^dBJRCg>FOde2#W&o
zE;k3&0<OP>H;bOyk64p$Yl$`v%g5@hE)PRoV8N;TSs$KvuJ)|_B9*vQG_nZ&zK=lb
zdsi`*w3ddAMRdS5y2gz*AWe|4vG&ayfdR`>`FB!6J>`}_lwtb@CHy{REzje)MkrtM
zGx@k-Tx2QhdT+E$_9G$a7mMJ3K=9N6)&8S`-s#Q43q5U;Ba|?t=$Xq%v8Wl`w)*Q~
zI#@Bymyg%W&<4--YJoew+o2Atk?ulj&~NOX#fY`RpS<7w84c`KA>llJ>jydIx9wkB
zYCD^$35H+>y&dVQmOV3r)TDZ{DRR;8YBq7Zvn&6!q4tGG{HKwvu2;TM)|&`c;9IpE
z%7VYUruk}t`D@3CE3baar$(wXm%ig=Xo7+iC1g!l_c+)jqza16>DMoT^V(y#wHW2$
zmf1hj$1aH+^f7GP(li;y!uJ?OSF*YBc=xrJfD@i@PBXe4)$EklYrhi>^F(iKbJO3b
zh&a~MEgN{ys+7D`6;@7D47lyCK+=(qLm^xYr^Uj7PEUjxT6b$@@X9C6^c8y`%0@K|
zhlcOB?GFr1><X&9sc=;7EXWEh##TD$>@TN#Ks}mwdS3FgMDVHUOa%UwyqFDuK7s91
ztoSU)74$_6B#>t3pzr!szS$MhVXeL0Bv!2(yz&KK>M>mtj_12k(dqVsJ{|U)YkN-=
zD1JXohsNEYlV*?%x;wcOV*lSF+X6FPsR~#sM@_q$D4WFYMbk;xCG7mSrp>9Akk4{q
zh@;i(M@nYC3Cxi{9}6>BI3HKt(n-)gD?d`z&r<m{`l|h*rtqUr*+UJB1?y#&b)em9
z9@}6~_wbJ-KwP5wyW2oUta7UN$^duMM_1UdZ#3o(C3ObSB&~A8+b(maCv})84$v`q
zti)6ju+9Y3yzN`&Z5m4h*<-*;(#qfjHJkhmjjp-;uRQb5qxjclkIU8u{{25j>{H>T
zyG#S;WI^;d1T~}?)So)@2~5%miYPTf^<<QyKeMx6$H?y+GeN@yeB~Bh2?EM%?x%cY
zk-)nA<>qO)EB~MhN%xfOJ*Y~4(g=y(7{L2n#Gci<PCO(p#aw&$u*L`Iv_?A48a{x$
zT{=algD}Y=%6RQw9~u{Yh<J!HPD`0namI&)Vq2r*oHfH+DZAuIH5u##%DQRobh61{
zb75nudaU%M!J`T76Z(BXi#@$xJKz<LyUEeF6hZ1k{dxdNKrj4ex%ff-LB%;HcHJ{L
zWAfdtI(&$-k_ebF?Cu+c9;15pjtlhTs=k|Mb;J*M5pFx0cHwrB9UGnfwF{!L%zFR6
zv4058e~s6;z0l6!%&O6+$TKuu0bWeYh2l|LtCN6L<AJM>ia0H+nTrJjgd#{mu>zLd
z@s=q`z<T3La(0n}MGwi2Fkbt8(AoBxzxxd#;sxus*enr=cLDOFO=gS_4by6=^+KU=
z!t81zR2QeZQdf3*wjHBZN_vVL98QMfkn+}wU)aK5KPuiQ=tFW>3FPDH_g6%#Sl%Kd
zzQ6Cu6Xz`9v`x{Nl6b<^Y!nsreW6BEGfMq?XHVAm$Gs(@yT}43crR1N16_Lyg)88J
zrWTY#8c+T{jZVb_2cE1v&)%f`74d6Pux`@QGtMF5_6+8x_5!Rs40_Aff#jC5Ekw|R
zb(ZKpeYLlS{7vr33Dd$K{1`ef5zc?O|90|ad*f5CFTtEcj4085l%^av1GkEdZL3OA
z6c$p1_Q<X#=0}vV2(vOASYt-_6kOHgYhNm#2TBs&+XQ@f6y<jGyLenTlEm`5_?m#S
zpW7$=u^VJl`szn5#+#~t4kJdgrlreI0xDAgLSa0fg7%!F0rg%>&wOb(@S*Cn7}W=d
zt^^uV+xPKC9F%*nxvD-C+0;tn62nKs4j_Ok*WU>`;E`t~f>0liV~P&d!&UCm(m!f-
zpzPA~e59v)p_v#ooMKT;OEDVm8uCMyIr3JOaKQ&?luz?769>Z^f759+){nbyN4uIV
z(W+kMZ{GOTcxZ|u5|kE4eBlF`ihmVVbFCQ7mDs_gu}PWn$6G_pCWFKUVmMBoQFj)4
zg{F|8a&?%-fXMFz{eEmhD1d<ZGoj6)de-dRv}0xQ7bBG4!Q!+qs8xC=&R1~0sc;fz
zM;&kVEwf;IrU52A&-@?)yIZ4T#O7AY7jJFZDCom};+wzzRLvB7TIsJEX;c3?7t~8z
zSBj`JTs5Ed8?`t2AfQ?}PObErgzda<mrqdFw~5uC#ve=UTpC^GVdooNuxZK*K{tcy
zCVe2^SrqV*^~{y#MlQ-U>br2IS|E=a0y#FB6s!L-s$5=A%!R$J^!~ttQ;-<FsubX_
z!qG=XA-%ar&I03ctM-}CdM-w2ub9x45E^4wTGq1+%Jh%&EMA-Tn^5+#X;g#`KcSB&
z<qMx6Z3Y(!Ctpr~fOY@*Mr&!*(an#mTz?K&Q%^(<h}r|SFwlxaf7QT>$!e#;MQR}P
zHokxJ_CF3|(V5+(oc2sedynfc*t-VfkAt_E{Z#*&^$H}BT2;v%kI7cScFuuytD)}T
z(l0XfbMNNk$8VG86M?yhAw`nXtsg%Sm6yd=T1;a@?VN+mh7=GQ>!K(qhr#{l6GzE!
zt}A7RT@_z`u~qwhVUJX{Mwg?{+NJXF{8FpyUbuAKg85ziy&GVTXRUFo>8ZTu!(U(M
zrmrDH$AQHVqM-><twLIgGBD6y??i!j<X{0xQ*u1ngt9}lk9NBZl>4}fz}|G7g&VEp
z>U&!@rx<CyHKJ)o<Ge10trBWRS_($<h*JMlgzMB7w#--1C&5hlvoJ)rV`gr4n74Dq
z8(l5;esQEJ5R2ri12S1UT~U2SVR}F9*bb`EXEYT$kpfss`<h?fi(kq0Xq-Ry=O!xu
zmEF0&aC-Xmi@6+2ubSQWIP=*R4wPpvBz#b>*R;nx!;>#G00-rM*v-m6QHj~jD<hak
zy@TC_TJBVL#qB5b!M?T{RNIxSDJcK`#-!ET+32CcPim=gIpR7APNI}HqWIV828542
zIhjqFugI2vhP){dylS7=nmffSTf!Dt{JGe*C8SQb`t4rkaQ>*C0KB?QjDx#EzFCvV
z1aG!Sq1StmR+i{>#};8u``n%lmf6vbV)pwJ<+eh;E_e8qi#30XK)0g`;#dBBWnurV
zA<fE{w0`tdINJH(U?M(#N7q{MLsq<V%MDJ{NAq+A2h!NhS><koMbaSeiJi}8Z(3!t
z2cMB#BH;Ui37c^!SMvUBuOf%!lj8H0t3_4EHqR^H2em-XoJDSX{HgqSmGkig7>4E>
z>-%aC=iTG8z9IK+PdaXX#euvP@MWLZ>nNg&g<I$~cbL7*bfpV5ZT9Z@zsUEfUM^P|
z#9&uxCL9V@(II`|Y+r30-cYSPU;mC4*-e^nlaO)`4ME!tnQz-h+xy^84so>~sx!^X
zn;!iBd3H)Ed2B$p#tIx8t#g|)>W8RsAbLOd%w0wV$(E<p{~5Unv-iBiYOS~v&Oqaa
zsE_qmZLF$G!Pn!2R_fy@JJG>w#@-1W?FvVSALqGX&?}>@z{)BD?(2&uJGmnMwXrvj
z_^Jl9vR_Df3iP%*SeVAEseQQKC)@A))}5h~`wG6`=&KR7`;HBExg$=MKE_=$4y*!h
z*+yQ9ap*?;Xs}*rN;UsuB(_v4A?G6;*CDAWW1nQ@qRQ(X9V;f}EmXzq_(4b5O3pJ1
zww{33e(Sv;brT+C>ZSmRhyP3;>mgsW{2^Sxxn;pQHgVo$s376K!gIeR+q+97Wny!Z
z@Ab-q&oCrZ_&P<U8;M5M-glS?vD|TJA#vRCe0=;9%JvHpW~@Itz20Ms_XI(7iLSOb
zqiW@{yrH=gIg5W@U28g0EUQ}yEk}w6-K*suG;v;wMr{A>_<r;(D%h=O<QcoQ7E|j{
zzXvp3(E~+2opeYvp`pceAJlM2Z9f~og0XGz&SPMFqS{&gEK=aDv`L;1&XZRF&+pMJ
zXWnhvo7yLII;%)M+f8lL6)Y%YI_hMV8Kq8uObUaK2?ZvxBd-W<X?T;B8PJ5!b+pXB
z+1L&*oS2sgdbUL=D#%Lve&1Knr}_A(W<{fSWAN=kfp<v_?#N`@gzscTb9s+|$plA%
z!DCvn<rlnSmR8LW?J&MioVL=<C%eC0cYlUZ7lf$wAe;1!7YjY{WiC}rA5iPsE~97!
zUkI%}aG9B@bNfB_%My!2i{yA2Sjo&HD*8qnE#7ek1Iy6~OuT^U&7ZHHW4qJr26XRB
zs2H=pmt;C5`hs(j^n-&;Mew!US6H&zF)I7_sE`isdeN~pPL^FD#=}0nH=x3`D1O(5
zU_)$q91k1t{AV4lV$|A9o(&os&eO51OZT1;d(x8vfVV}a9X1ciH-3{U+&4$uRAi2I
zuR(eGRr`4vTGXH|vjyMyU9Uv0yw%bxZ>^UfD+PZ?Z@pX#o@61)F|V1)XM8L3o8=aJ
zHM`O=pz)M=elt9G{cN~lR4Zi{GV#dt_wxbYD{pfmoYn-}_Y{K7!&FLTdGQy&e+Z64
z4v&&+ZGqW`J9gvg`YvD47k+r)2FF}_6^t=)z@=gXGNsD#W<LX_rp<g;rqw$R*njvn
z1KEOfs3hW)u`UCZ9EA><O#BYlQcu!EW~w&8d1qO_zLx!f!7F*tTeWXa4_yl+!PXP~
zrQ~}w&5b7B(<%l3JF4q7@!VIp@>6Y!sb4rihdIZzs)%H1Ye9BMBeoSm`S1FQR3{Dg
z7K>)R`F2Kb2_hGh@u6*<8-B!D)uXyC%b7MaX@<@_Il`+RBHYOgo%<T$L)kc5HBMTJ
zb8EVxS}$?+_$DX&t=T4q&M_^_ztm-vneI;}40-TSy%zI$>=PZWYWYQ(v4aMaN2yRw
z72h>uMky9>9$<N3)`b3d*ngicXrDH`)qU^3+VT%FOP!;?A$zmuEmHMpF=;HYL&*j~
zTRgo2y~g8&*IqgGKTYFa{I{mjK4adPi7OQ?g4?zP);9WWS^%Zt-n4?>J|4PS)Lu`k
zq_oUT`%r4ct&dv`XE!D*^8$B%@RY1%hlYTUo%++KYk&fI=Sw(D)LW0&N|H`_;g&~*
zB>D1)dhs@CY52Kc`!h~i0mw7U6%14714_a#0cdV;<@#i(|2S#LkLY60K>znxL)gm5
z@5-@DWt{sn?njMBCWm`1;<YXR3fcGLABEts$i`ao6uPzCeW%r6w+%DstJ^?;J}mv%
z9DKBUn^Quz`Sbu+7Ld2OJ~-r+Xh_L=b#Rs6{$pUaBV~%lyqtRpE(ghISHljAY^Bh%
z;9a_B*-BoEPrPs`*@hDpu^A_oq#@BzFCs@%G!frs`=XX6<bHJTrj>eL`HEGD&P|8q
z!;97XrqCeoz1870+WO!Mvj-<9XvMI<YM~O+-777+X%pg8l=1h7fK??RWik7pJWQ1h
zF`+**wr`%lGTq=kHso{Hw;6iQEl+;+M3Of_6@fE5!mPY;kmf3(ZT*qKU>&;EE)KN}
zhMSD%xKXX*zp@IO&fh6u@l^G-ypoRSndq!(>x$tp?M)Q&K<t85cU*B2oYI?~xCTN3
zrJ_@ZU?^<}Heq>l+>)&iF=k%-g?LwRV0`A%WQwvXa-VHBFVHA08h~*ierV1nV3u>n
zlmck=J`u)d=g@Jk2g#%7zJev-{W-^(z!~hyUe33ZZ4Q0Ud$7<`1z@;>s&IZp&aTdc
zr{$TL5chZ7_lTT+AsAtpSXPuaTfTmd2D^#?BjBK&`5!MkkU9D37)8-3maA~0vHg9c
z;$J^m?rfSyMT~rlcpTLi#me&uH>N-<C_gxA8#&u*B7#O9IpW6g(2wRrKfe~5MWq{d
z@TBLLwi`*0CqP^#4q})&<)~?C37^^X%k;~B6o$o@T<b<mQe*^5V0O^;>-Sbaq%ocD
zAa|z+ib7U|E|0!k7ka&?WP9sFxNMyQzo;CsPbl*~E>-YT@&FpJ{x*kk;0+wR18V|J
z+WQW>`dlDrt9s5qa-AznzYm&0b2nCAD_C!N&vJQY<BS3ZXI08N2kI}9H_!PM=RM-*
zPGjjSqPMNBGAq=BNPaNNlxs}$_04b^%qlxJfEN#fd`eR|SdIfl6&N!0@h7FEspORu
zXg1N)r84&r%9Nik8Jg@!r65K2dF}3SGpL>>6wQq@(a&8r3jai!)deG4?Tk7wS4-p2
znV10e@JXI382tzPL^ZtIcn`5n{|dx(?lw$f|LC5v@Sc~ln7Oyh7RWxn#Z?H~8fy16
zGtcFFgl1~}`20|~LGLn2M_NSbXhBFUU62MqA8q;S4i4{!tJin>B=x2PO*nhh7gz^S
zn-sE2tILQ7?zi;^Fr(wec_puCAF&w_p#R|;TzRsvgLLZ}D`B(&KL0jxV7Ro`wf`4#
zkdsX{^04M2VSmEbmPDPNQ$0Ad^l>YSLA^PRpJC<s9i?7BZ|^ZM3Kn#I)LOANua=JW
z3+~*y?>ESU(rR<Mw)<3dEWrL^tL&C{!h9vHdDejN5!Ab0-g^T!Kl`r+PTi`0<LfpM
zKau8(lIshC1-{Cy{uBE_(M=-98BkL|FQK@7IGFEvZbuCwjU-Y))qf!FKhpZ8uCOg`
zX<hxCDklv-Hwy{o6xf~9o-kKIxsXJWl7hrcWq*m}f1UHnvT^`GXwdjj^AY7KTiih9
zza2zW4+gba?Hu;5x!nU>M6ZS2|G--s{U`fP2xYXV5;P<qo39QT-Q_Lz1NEHi;;bL%
zG`wZyiQ%%q_%W<Xs5=rK-8*Q`DG@nn-*8xsu*obzUQ2)QQaBE0fjsG0yTysBpN#t~
z5j-ES2JcAu2JgK~T?hXukxTPj2!IqMJ*JTY8~NvP#DE6oo$HJ2bZL$_sY@n;Y1*b%
z!TO&9+b((R-3TK6$jV-?<a{6gf+n4h4bi0Yre&%Yxqibzuoss)BEL6ja3#n_<{q(<
zmj)+OF=MKretqRjKF_A{HL6D`=2BuYd^KA|+PqA8GHbavvoLZA{(PRg>jrd^=cjJ;
z*xT3A=!4ny)fxFS@qwDlPO@JgUkI07#+zwKEH8ZvbnSUs(YxBQM!H{Dq{MFd%RKyc
zDo52bj@r&DPUcht_YO|eAm=nW5xp+pZ`l|zKMMo8`IX;R9P<~Izg;M5noRrDaFXoz
z&1K*!F!H8f;K=^Hm)m6GBky#Zg~<89RlZ{1Tj!^y7dDlP8pUQp?!A_x(bEf?__nrv
z7gI%N*qunUV7h0%J9mYJ+_w_PLWJ*3g{KKizG^|(>V1QtVf)@Vltay(^kc437WOnX
z3`VJMDtch$V=b@s^D{b~-lQgNM;IOcr-vnnqY|CkXSD`8+Ba$cam*8~Iz%|!qqK$_
z;49_ViO3(Za<;aV-N=*XPR$?4f?mO((!iz9rXsF|@X3l?Y`v$0wH<9wyw&jVm{z~G
z42l4~+0NNIt%KvxftFPPq~+t&M07bml(uE=5BesxZFjQzz9_G~w4aF<FWXb)HhNaA
zCi1-Pv=ZJ%LzZKSA$xhpiD#!VYA3m~p|K+?tQBUiu=(`R{Uh_#7gfGn$ud2IbH#g>
zNofaV!Ot1vQSQ|2kYhsH=9-1U**f(h`%?AN=Md!jT)!f|ly%V~c!9r+Ln~wimOnN!
zoSc2!(n{NI6qt%o{JvZ7Cq9HY{niwZhxZmCjsZyG2`QVJVYS|;(^5i{ZwCc`3AGL6
z?drIUI&JbD9OdE7+hM<j5G!ibqro)S$$?iG)k4>agdbZ)XeJ}Xgp8@9%XKe;ly1!2
zmFGRPgJv38n8>e97Ex*BJ#+j<9%Av2d|u8Zv_gDnvN1|T@w8Z@w6lUW-%z7(&}*KD
zPj9%GP2vGXSG_DhJ=vpGWU^MM(n8;@2lz1bjP6<Or55VwCtGp!#bjHjp@<iz7H*qu
zXyJ8C5)5TJMExNXvh&j)P7ue#zJ*PU6&1K{{&qpVu&hulaGW%LJ`Uo=)tkx3-@V2P
zl~DISUr~~?cK@BV>JyXg{cCZhg9_4p>*5AJWgII-vKW6a(=Ic4?mrJ(GqCxY{0OwT
zZ0#nE?B1VxuKHg3CJtS03~wxnS(Kmng5qH$p)B+!&RJO|6(s;y1m(aVHngqReR?*R
zK#{Q^9yNYtkr#3b!ACXZicZZVq#@qN5v&{-Tgw;au5O748qW{gxG<HL8@Jg7ozFr}
zY2#{<58B`}hs9COINH8Vm_`GGzE1BQB8TfmW;oq$m}dK@c&xpdODrRtEN}H@iwf10
za>f%$jpzcT=JRTFZcchq0ots5WDfI<2ver9_VPpoc7X)`<!9A5h^`T5^GlRpN)$Ys
zud;3EE#{V)@8iN|wXxUQmbCb{l+^k6LRm-8Y2lgf{CoD0c5Ib~GyiWsr~3c*EG;Fp
Zed&%KXnE6zc5oQ*^s(L}l%`$8{{Ys-O>F=G

literal 0
HcmV?d00001

diff --git a/zerver/tests/test_upload.py b/zerver/tests/test_upload.py
index 9ed3310a01..3476d315b6 100644
--- a/zerver/tests/test_upload.py
+++ b/zerver/tests/test_upload.py
@@ -326,6 +326,26 @@ class FileUploadTest(UploadSerializeMixin, ZulipTestCase):
         self.assertEqual(response.status_code, 403)
         self.assert_in_response("<p>You are not authorized to view this file.</p>", response)
 
+    def test_image_download_unauthed(self) -> None:
+        """
+        As the above, but with an Accept header that prefers images.
+        """
+        self.login("hamlet")
+        fp = StringIO("zulip!")
+        fp.name = "zulip.txt"
+        result = self.client_post("/json/user_uploads", {"file": fp})
+        response_dict = self.assert_json_success(result)
+        url = response_dict["uri"]
+
+        self.logout()
+        response = self.client_get(
+            url,
+            # This is what Chrome sends for <img> tags
+            headers={"Accept": "image/avif,image/webp,image/apng,image/*,*/*;q=0.8"},
+        )
+        self.assertEqual(response.status_code, 403)
+        self.assertEqual(response.headers["Content-Type"], "image/png")
+
     def test_removed_file_download(self) -> None:
         """
         Trying to download deleted files should return 404 error
@@ -354,6 +374,29 @@ class FileUploadTest(UploadSerializeMixin, ZulipTestCase):
         self.assertEqual(response.status_code, 404)
         self.assert_in_response("This file does not exist or has been deleted.", response)
 
+    def test_non_existing_image_download(self) -> None:
+        """
+        As the above method, but with an Accept header that prefers images to text
+        """
+        hamlet = self.example_user("hamlet")
+        self.login_user(hamlet)
+        response = self.client_get(
+            f"http://{hamlet.realm.host}/user_uploads/{hamlet.realm_id}/ff/gg/abc.png",
+            # This is what Chrome sends for <img> tags
+            headers={"Accept": "image/avif,image/webp,image/apng,image/*,*/*;q=0.8"},
+        )
+        self.assertEqual(response.status_code, 404)
+        self.assertEqual(response.headers["Content-Type"], "image/png")
+
+        response = self.client_get(
+            f"http://{hamlet.realm.host}/user_uploads/{hamlet.realm_id}/ff/gg/abc.png",
+            # Ask for something neither image nor text -- you get text as a default
+            headers={"Accept": "audio/*,application/octet-stream"},
+        )
+        self.assertEqual(response.status_code, 404)
+        self.assertEqual(response.headers["Content-Type"], "text/html; charset=utf-8")
+        self.assert_in_response("This file does not exist or has been deleted.", response)
+
     def test_attachment_url_without_upload(self) -> None:
         hamlet = self.example_user("hamlet")
         self.login_user(hamlet)
diff --git a/zerver/views/upload.py b/zerver/views/upload.py
index 069c88e2e3..b7cd96a9ab 100644
--- a/zerver/views/upload.py
+++ b/zerver/views/upload.py
@@ -3,7 +3,7 @@ import binascii
 import os
 from datetime import timedelta
 from mimetypes import guess_type
-from typing import Optional, Union
+from typing import List, Optional, Union
 from urllib.parse import quote, urlparse
 
 from django.conf import settings
@@ -20,13 +20,14 @@ from django.http import (
 )
 from django.shortcuts import redirect
 from django.urls import reverse
-from django.utils.cache import patch_cache_control
+from django.utils.cache import patch_cache_control, patch_vary_headers
 from django.utils.http import content_disposition_header
 from django.utils.translation import gettext as _
 
 from zerver.context_processors import get_valid_realm_from_request
 from zerver.lib.exceptions import JsonableError
 from zerver.lib.response import json_success
+from zerver.lib.storage import static_path
 from zerver.lib.upload import (
     check_upload_within_quota,
     get_public_upload_root_url,
@@ -167,6 +168,23 @@ def serve_file_url_backend(
     return serve_file(request, user_profile, realm_id_str, filename, url_only=True)
 
 
+def preferred_accept(request: HttpRequest, served_types: List[str]) -> Optional[str]:
+    # Returns the first of the served_types which the browser will
+    # accept, based on the browser's stated quality preferences.
+    # Returns None if none of the served_types are accepted by the
+    # browser.
+    accepted_types = sorted(
+        request.accepted_types,
+        key=lambda e: float(e.params.get("q", "1.0")),
+        reverse=True,
+    )
+    for potential_type in accepted_types:
+        for served_type in served_types:
+            if potential_type.match(served_type):
+                return served_type
+    return None
+
+
 def serve_file(
     request: HttpRequest,
     maybe_user_profile: Union[UserProfile, AnonymousUser],
@@ -179,10 +197,28 @@ def serve_file(
     realm = get_valid_realm_from_request(request)
     is_authorized = validate_attachment_request(maybe_user_profile, path_id, realm)
 
+    def serve_image_error(status: int, image_path: str) -> HttpResponseBase:
+        # We cannot use X-Accel-Redirect to offload the serving of
+        # this image to nginx, because it does not preserve the status
+        # code of this response, nor the Vary: header.
+        return FileResponse(open(static_path(image_path), "rb"), status=status)  # noqa: SIM115
+
     if is_authorized is None:
-        return HttpResponseNotFound(_("<p>This file does not exist or has been deleted.</p>"))
+        if preferred_accept(request, ["text/html", "image/png"]) == "image/png":
+            response = serve_image_error(404, "images/errors/image-not-exist.png")
+        else:
+            response = HttpResponseNotFound(
+                _("<p>This file does not exist or has been deleted.</p>")
+            )
+        patch_vary_headers(response, ("Accept",))
+        return response
     if not is_authorized:
-        return HttpResponseForbidden(_("<p>You are not authorized to view this file.</p>"))
+        if preferred_accept(request, ["text/html", "image/png"]) == "image/png":
+            response = serve_image_error(403, "images/errors/image-no-auth.png")
+        else:
+            response = HttpResponseForbidden(_("<p>You are not authorized to view this file.</p>"))
+        patch_vary_headers(response, ("Accept",))
+        return response
     if url_only:
         url = generate_unauthed_file_access_url(path_id)
         return json_success(request, data=dict(url=url))