Via HackerOne. If an invalid PHID is submitted and reaches this code, we won't load a file and will fatal below:

https://secure.phabricator.com/source/phabricator/browse/master/src/applications/people/controller/PhabricatorPeopleProfilePictureController.php;9b92e56dfc033d298393617fcbd59357d5dd1e7b$40-43

It's possible that other similar endpoints (e.g., projects) are also affected since I think this code got copy/pasted a bit.

Ideally, we would reduce the amount of copy/paste going on here, although that may not be entirely straightforward.