From 6b09fc4ab786fa6723b643a660ac31e0b598aebf Mon Sep 17 00:00:00 2001
From: Amir Raminfar <findamir@gmail.com>
Date: Sun, 17 Dec 2023 14:26:12 -0800
Subject: [PATCH] fix: escapes avatar url correctly. see #2601 (#2602)

---
 internal/auth/users.go  | 7 ++++++-
 internal/web/profile.go | 8 ++++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/internal/auth/users.go b/internal/auth/users.go
index 9d11f675..16243984 100644
--- a/internal/auth/users.go
+++ b/internal/auth/users.go
@@ -6,6 +6,7 @@ import (
 	"encoding/hex"
 	"fmt"
 	"net/http"
+	"net/url"
 	"os"
 	"time"
 
@@ -22,7 +23,11 @@ type User struct {
 }
 
 func (u User) AvatarURL() string {
-	return fmt.Sprintf("https://gravatar.com/avatar/%s?d=https%%3A%%2F%%2Fui-avatars.com%%2Fapi%%2F/%s/128", hashEmail(u.Email), u.Name)
+	name := u.Name
+	if name == "" {
+		name = u.Username
+	}
+	return fmt.Sprintf("https://gravatar.com/avatar/%s?d=https%%3A%%2F%%2Fui-avatars.com%%2Fapi%%2F/%s/128", hashEmail(u.Email), url.QueryEscape(name))
 }
 
 func newUser(username, email, name string) User {
diff --git a/internal/web/profile.go b/internal/web/profile.go
index a1142882..94113d48 100644
--- a/internal/web/profile.go
+++ b/internal/web/profile.go
@@ -39,6 +39,7 @@ func (h *handler) avatar(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	log.Debugf("Fetching avatar from %s", url)
 	response, err := http.Get(url)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
@@ -47,8 +48,11 @@ func (h *handler) avatar(w http.ResponseWriter, r *http.Request) {
 
 	defer response.Body.Close()
 
-	w.Header().Set("Content-Type", response.Header.Get("Content-Type"))
-	w.Header().Set("Cache-Control", "public, max-age=86400")
+	if response.StatusCode != http.StatusOK {
+		log.Errorf("Received status code %d from %s", response.StatusCode, url)
+		return
+	}
 
+	w.Header().Set("Content-Type", response.Header.Get("Content-Type"))
 	io.Copy(w, response.Body)
 }