diff --git a/src/rpc/apis/users.ts b/src/rpc/apis/users.ts
index 5b56923..3589c90 100644
--- a/src/rpc/apis/users.ts
+++ b/src/rpc/apis/users.ts
@@ -4,12 +4,11 @@ import { compare, hash } from "bcrypt";
 import { getPublicUserObject, loginAttempt } from "../../auth";
 import { RPCContext, bufferSlice, method, methodButWarningDoesNotAuthenticate, string, usernameRegex, withRegexp } from "./../rpc";
 import sharp from "sharp";
-import path from "path";
 import { randomBytes } from "crypto";
 import { unlink } from "fs/promises";
 import { GatewayPayloadType } from "../../gateway/gatewaypayloadtype";
-import { supportedImageMime } from "../../uploading";
-import { avatarUploadDirectory, disableAccountCreation, superuserKey } from "../../serverconfig";
+import { UploadTarget, getSafeUploadPath, supportedImageMime } from "../../uploading";
+import { disableAccountCreation, superuserKey } from "../../serverconfig";
 
 const fileType = eval("import('file-type')");
 
@@ -108,10 +107,13 @@ method(
         const filenames = new Array(profilePictureSizes.length);
         for (let i = 0; i < profilePictureSizes.length; i++) {
             filenames[i] = `${avatarId}_${profilePictureSizes[i]}.webp`;
-            promises[i] = sharp(buffer, { limitInputPixels: 1000 * 1000 })
-                .resize(profilePictureSizes[i], profilePictureSizes[i], { fit: "cover" })
-                .timeout({ seconds: 3 })
-                .toFile(path.resolve(path.join(avatarUploadDirectory, filenames[i])));
+            const safePath = getSafeUploadPath(UploadTarget.Avatar, filenames[i]);
+            if (safePath) {
+                promises[i] = sharp(buffer, { limitInputPixels: 1000 * 1000 })
+                    .resize(profilePictureSizes[i], profilePictureSizes[i], { fit: "cover" })
+                    .timeout({ seconds: 3 })
+                    .toFile(safePath);
+            }
         }
 
         try {
@@ -121,7 +123,10 @@ method(
             console.error("rpc: putUserAvatar: removing all processed images due to error above");
             for (let i = 0; i < filenames.length; i++) {
                 try {
-                    await unlink(path.resolve(path.join(avatarUploadDirectory, filenames[i])));
+                    const safePath = getSafeUploadPath(UploadTarget.Avatar, filenames[i]);
+                    if (safePath) {
+                        await unlink(safePath);
+                    }
                 } catch(o_0) {
                     //console.error("rpc: putUserAvatar: error while removing files (upon error)", o_0);
                 }
@@ -133,7 +138,12 @@ method(
         if (user.avatar) {
             for (let i = 0; i < profilePictureSizes.length; i++) {
                 try {
-                    await unlink(path.resolve(path.join(avatarUploadDirectory, `${user.avatar}_${profilePictureSizes[i]}.webp`)));
+                    const safePath = getSafeUploadPath(UploadTarget.Avatar, `${user.avatar}_${profilePictureSizes[i]}.webp`);
+                    if (safePath) {
+                        await unlink(safePath);
+                    } else {
+                        console.error("rpc: putUserAvatar: error while removing files (removing old avatar): getSafeUploadPath failed. This should not happen.");
+                    }
                 } catch(o_0) {
                     console.error("rpc: putUserAvatar: error while removing files (removing old avatar)", o_0);
                 }