fix: escapes avatar url correctly. see #2601 (#2602)

amir20 · Dec 17, 2023 · 6b09fc4 · 6b09fc4
1 parent 0cf7284
commit 6b09fc4
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 3 deletions.
diff --git a/internal/auth/users.go b/internal/auth/users.go
@@ -6,6 +6,7 @@ import (
 	"encoding/hex"
 	"fmt"
 	"net/http"
+	"net/url"
 	"os"
 	"time"
 
@@ -22,7 +23,11 @@ type User struct {
 }
 
 func (u User) AvatarURL() string {
-	return fmt.Sprintf("https://gravatar.com/avatar/%s?d=https%%3A%%2F%%2Fui-avatars.com%%2Fapi%%2F/%s/128", hashEmail(u.Email), u.Name)
+	name := u.Name
+	if name == "" {
+		name = u.Username
+	}
+	return fmt.Sprintf("https://gravatar.com/avatar/%s?d=https%%3A%%2F%%2Fui-avatars.com%%2Fapi%%2F/%s/128", hashEmail(u.Email), url.QueryEscape(name))
 }
 
 func newUser(username, email, name string) User {

diff --git a/internal/web/profile.go b/internal/web/profile.go
@@ -39,6 +39,7 @@ func (h *handler) avatar(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	log.Debugf("Fetching avatar from %s", url)
 	response, err := http.Get(url)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
@@ -47,8 +48,11 @@ func (h *handler) avatar(w http.ResponseWriter, r *http.Request) {
 
 	defer response.Body.Close()
 
-	w.Header().Set("Content-Type", response.Header.Get("Content-Type"))
-	w.Header().Set("Cache-Control", "public, max-age=86400")
+	if response.StatusCode != http.StatusOK {
+		log.Errorf("Received status code %d from %s", response.StatusCode, url)
+		return
+	}
 
+	w.Header().Set("Content-Type", response.Header.Get("Content-Type"))
 	io.Copy(w, response.Body)
 }