Fix bug on avatar middleware (#15124)

diff --git a/routers/routes/base.go b/routers/routes/base.go
index 12a35936b10e4db6eaa436d43746cbf0fd22ac54..743582d4a56dc93646f944d6ae900def2a5a93ec 100644 (file)
--- a/routers/routes/base.go
+++ b/routers/routes/base.go
@@ -11,6 +11,7 @@ import (
        "net/http"
        "os"
        "path"
+       "path/filepath"
        "strings"
        "time"
 
@@ -87,13 +88,21 @@ func storageHandler(storageSetting setting.Storage, prefix string, objStore stor
                                return
                        }
 
-                       if !strings.HasPrefix(req.URL.RequestURI(), "/"+prefix) {
+                       prefix := strings.Trim(prefix, "/")
+
+                       if !strings.HasPrefix(req.URL.EscapedPath(), "/"+prefix+"/") {
                                next.ServeHTTP(w, req)
                                return
                        }
 
-                       rPath := strings.TrimPrefix(req.URL.RequestURI(), "/"+prefix)
+                       rPath := strings.TrimPrefix(req.URL.EscapedPath(), "/"+prefix+"/")
                        rPath = strings.TrimPrefix(rPath, "/")
+                       if rPath == "" {
+                               http.Error(w, "file not found", 404)
+                               return
+                       }
+                       rPath = path.Clean("/" + filepath.ToSlash(rPath))
+                       rPath = rPath[1:]
 
                        fi, err := objStore.Stat(rPath)
                        if err == nil && httpcache.HandleTimeCache(req, w, fi) {