Fix bug on avatar middleware (#15124)

author: Lunny Xiao <xiaolunwen@gmail.com> 2021-03-24 01:20:24 +0800
committer: GitHub <noreply@github.com> 2021-03-23 18:20:24 +0100
commit: f4e677edb1f236cd802f5dd2f0759252c9235bd6 (patch)
tree: 6788e48cb7e93babde64a2160c492197e28b0153 /routers/routes
parent: 687e2dfa554f7b32353c30048f62792d85edeb38 (diff)
download: gitea-f4e677edb1f236cd802f5dd2f0759252c9235bd6.tar.gz
gitea-f4e677edb1f236cd802f5dd2f0759252c9235bd6.zip
1 files changed, 11 insertions, 2 deletions
diff --git a/routers/routes/base.go b/routers/routes/base.go
index 12a35936b1..743582d4a5 100644
--- a/routers/routes/base.go
+++ b/routers/routes/base.go
@@ -11,6 +11,7 @@ import (
 	"net/http"
 	"os"
 	"path"
+	"path/filepath"
 	"strings"
 	"time"
 
@@ -87,13 +88,21 @@ func storageHandler(storageSetting setting.Storage, prefix string, objStore stor
 				return
 			}
 
-			if !strings.HasPrefix(req.URL.RequestURI(), "/"+prefix) {
+			prefix := strings.Trim(prefix, "/")
+
+			if !strings.HasPrefix(req.URL.EscapedPath(), "/"+prefix+"/") {
 				next.ServeHTTP(w, req)
 				return
 			}
 
-			rPath := strings.TrimPrefix(req.URL.RequestURI(), "/"+prefix)
+			rPath := strings.TrimPrefix(req.URL.EscapedPath(), "/"+prefix+"/")
 			rPath = strings.TrimPrefix(rPath, "/")
+			if rPath == "" {
+				http.Error(w, "file not found", 404)
+				return
+			}
+			rPath = path.Clean("/" + filepath.ToSlash(rPath))
+			rPath = rPath[1:]
 
 			fi, err := objStore.Stat(rPath)
 			if err == nil && httpcache.HandleTimeCache(req, w, fi) {
author	Lunny Xiao <xiaolunwen@gmail.com>	2021-03-24 01:20:24 +0800
committer	GitHub <noreply@github.com>	2021-03-23 18:20:24 +0100
commit	f4e677edb1f236cd802f5dd2f0759252c9235bd6 (patch)
tree	6788e48cb7e93babde64a2160c492197e28b0153 /routers/routes
parent	687e2dfa554f7b32353c30048f62792d85edeb38 (diff)
download	gitea-f4e677edb1f236cd802f5dd2f0759252c9235bd6.tar.gz gitea-f4e677edb1f236cd802f5dd2f0759252c9235bd6.zip