Fix bug on avatar middleware (#15125)

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>

diff --git a/routers/routes/routes.go b/routers/routes/routes.go
index bdde8216c448927b2f5096903f74a01a47b3f5af..78468476e3a0403ae10e0aa93b18735a657ff8a7 100644 (file)
--- a/routers/routes/routes.go
+++ b/routers/routes/routes.go
@@ -13,6 +13,7 @@ import (
        "net/http"
        "os"
        "path"
+       "path/filepath"
        "strings"
        "text/template"
        "time"
@@ -152,12 +153,21 @@ func storageHandler(storageSetting setting.Storage, prefix string, objStore stor
                        return
                }
 
-               if !strings.HasPrefix(req.URL.RequestURI(), "/"+prefix) {
+               prefix := strings.Trim(prefix, "/")
+
+               if !strings.HasPrefix(req.URL.EscapedPath(), "/"+prefix+"/") {
                        return
                }
+               rPath := strings.TrimPrefix(req.URL.EscapedPath(), "/"+prefix+"/")
 
-               rPath := strings.TrimPrefix(req.URL.RequestURI(), "/"+prefix)
                rPath = strings.TrimPrefix(rPath, "/")
+               if rPath == "" {
+                       ctx.Error(404, "file not found")
+                       return
+               }
+               rPath = path.Clean("/" + filepath.ToSlash(rPath))
+               rPath = rPath[1:]
+
                //If we have matched and access to release or issue
                fr, err := objStore.Open(rPath)
                if err != nil {