Fix possible panic (#17694)

- The code will get the first and second character `link[{0,1]]`. However in a rare case the `link` could have 1 character and thus the `link[1]` will create a panic.
author: Gusted <williamzijl7@hotmail.com> 2021-11-18 13:25:56 +0000
committer: GitHub <noreply@github.com> 2021-11-18 21:25:56 +0800
commit: 257b7171c34446e73fc83186f859e9b9ce67be76 (patch)
tree: 475c08d1dbd46ea1704d2579699a83d3574e61d7 /models/repo_avatar.go
parent: d1f5584039b46c70e4abfb933a928a28e6065965 (diff)
download: gitea-257b7171c34446e73fc83186f859e9b9ce67be76.tar.gz
gitea-257b7171c34446e73fc83186f859e9b9ce67be76.zip
1 files changed, 4 insertions, 5 deletions
diff --git a/models/repo_avatar.go b/models/repo_avatar.go
index aa1b3bc15f..6c83e11a53 100644
--- a/models/repo_avatar.go
+++ b/models/repo_avatar.go
@@ -108,12 +108,11 @@ func (repo *Repository) AvatarLink() string {
 // avatarLink returns user avatar absolute link.
 func (repo *Repository) avatarLink(e db.Engine) string {
 	link := repo.relAvatarLink(e)
-	// link may be empty!
-	if len(link) > 0 {
-		if link[0] == '/' && link[1] != '/' {
-			return setting.AppURL + strings.TrimPrefix(link, setting.AppSubURL)[1:]
-		}
+	// we only prepend our AppURL to our known (relative, internal) avatar link to get an absolute URL
+	if strings.HasPrefix(link, "/") && !strings.HasPrefix(link, "//") {
+		return setting.AppURL + strings.TrimPrefix(link, setting.AppSubURL)[1:]
 	}
+	// otherwise, return the link as it is
 	return link
 }
author	Gusted <williamzijl7@hotmail.com>	2021-11-18 13:25:56 +0000
committer	GitHub <noreply@github.com>	2021-11-18 21:25:56 +0800
commit	257b7171c34446e73fc83186f859e9b9ce67be76 (patch)
tree	475c08d1dbd46ea1704d2579699a83d3574e61d7 /models/repo_avatar.go
parent	d1f5584039b46c70e4abfb933a928a28e6065965 (diff)
download	gitea-257b7171c34446e73fc83186f859e9b9ce67be76.tar.gz gitea-257b7171c34446e73fc83186f859e9b9ce67be76.zip