Fix possible panic (#17694)

- The code will get the first and second character `link[{0,1]]`.
However in a rare case the `link` could have 1 character and thus the
`link[1]` will create a panic.

diff --git a/models/repo_avatar.go b/models/repo_avatar.go
index aa1b3bc15f3ccec8fa8a6dd9a11e496922f32d7c..6c83e11a5390a40383c471a79f70c96f1229c24d 100644 (file)
--- a/models/repo_avatar.go
+++ b/models/repo_avatar.go
@@ -108,12 +108,11 @@ func (repo *Repository) AvatarLink() string {
 // avatarLink returns user avatar absolute link.
 func (repo *Repository) avatarLink(e db.Engine) string {
        link := repo.relAvatarLink(e)
-       // link may be empty!
-       if len(link) > 0 {
-               if link[0] == '/' && link[1] != '/' {
-                       return setting.AppURL + strings.TrimPrefix(link, setting.AppSubURL)[1:]
-               }
+       // we only prepend our AppURL to our known (relative, internal) avatar link to get an absolute URL
+       if strings.HasPrefix(link, "/") && !strings.HasPrefix(link, "//") {
+               return setting.AppURL + strings.TrimPrefix(link, setting.AppSubURL)[1:]
        }
+       // otherwise, return the link as it is
        return link
 }