From dfe21fa4c3ac04fbedc3b6fb77594eab3faf495e Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Tue, 23 Mar 2021 23:58:38 +0800
Subject: [PATCH] Fix bug on avatar middleware

---
 routers/routes/routes.go | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/routers/routes/routes.go b/routers/routes/routes.go
index bdde8216c4489..78468476e3a04 100644
--- a/routers/routes/routes.go
+++ b/routers/routes/routes.go
@@ -13,6 +13,7 @@ import (
 	"net/http"
 	"os"
 	"path"
+	"path/filepath"
 	"strings"
 	"text/template"
 	"time"
@@ -152,12 +153,21 @@ func storageHandler(storageSetting setting.Storage, prefix string, objStore stor
 			return
 		}
 
-		if !strings.HasPrefix(req.URL.RequestURI(), "/"+prefix) {
+		prefix := strings.Trim(prefix, "/")
+
+		if !strings.HasPrefix(req.URL.EscapedPath(), "/"+prefix+"/") {
 			return
 		}
+		rPath := strings.TrimPrefix(req.URL.EscapedPath(), "/"+prefix+"/")
 
-		rPath := strings.TrimPrefix(req.URL.RequestURI(), "/"+prefix)
 		rPath = strings.TrimPrefix(rPath, "/")
+		if rPath == "" {
+			ctx.Error(404, "file not found")
+			return
+		}
+		rPath = path.Clean("/" + filepath.ToSlash(rPath))
+		rPath = rPath[1:]
+
 		//If we have matched and access to release or issue
 		fr, err := objStore.Open(rPath)
 		if err != nil {