fix: escapes avatar url correctly. see #2601 (#2602)

2025-12-27 07:31:46 +01:00 · 2023-12-17 14:26:12 -08:00
parent 0cf728473b
commit 6b09fc4ab7
2 changed files with 12 additions and 3 deletions
--- a/internal/auth/users.go
+++ b/internal/auth/users.go
@@ -6,6 +6,7 @@ import (
 	"encoding/hex"
 	"fmt"
 	"net/http"
+	"net/url"
 	"os"
 	"time"

@@ -22,7 +23,11 @@ type User struct {
 }

 func (u User) AvatarURL() string {
-	return fmt.Sprintf("https://gravatar.com/avatar/%s?d=https%%3A%%2F%%2Fui-avatars.com%%2Fapi%%2F/%s/128", hashEmail(u.Email), u.Name)
+	name := u.Name
+	if name == "" {
+		name = u.Username
+	}
+	return fmt.Sprintf("https://gravatar.com/avatar/%s?d=https%%3A%%2F%%2Fui-avatars.com%%2Fapi%%2F/%s/128", hashEmail(u.Email), url.QueryEscape(name))
 }

 func newUser(username, email, name string) User {
--- a/internal/web/profile.go
+++ b/internal/web/profile.go
@@ -39,6 +39,7 @@ func (h *handler) avatar(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	log.Debugf("Fetching avatar from %s", url)
 	response, err := http.Get(url)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
@@ -47,8 +48,11 @@ func (h *handler) avatar(w http.ResponseWriter, r *http.Request) {

 	defer response.Body.Close()

-	w.Header().Set("Content-Type", response.Header.Get("Content-Type"))
-	w.Header().Set("Cache-Control", "public, max-age=86400")
+	if response.StatusCode != http.StatusOK {
+		log.Errorf("Received status code %d from %s", response.StatusCode, url)
+		return
+	}

+	w.Header().Set("Content-Type", response.Header.Get("Content-Type"))
 	io.Copy(w, response.Body)
 }