From f4e677edb1f236cd802f5dd2f0759252c9235bd6 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Wed, 24 Mar 2021 01:20:24 +0800
Subject: [PATCH] Fix bug on avatar middleware (#15124)

---
 routers/routes/base.go | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/routers/routes/base.go b/routers/routes/base.go
index 12a35936b1..743582d4a5 100644
--- a/routers/routes/base.go
+++ b/routers/routes/base.go
@@ -11,6 +11,7 @@ import (
 	"net/http"
 	"os"
 	"path"
+	"path/filepath"
 	"strings"
 	"time"
 
@@ -87,13 +88,21 @@ func storageHandler(storageSetting setting.Storage, prefix string, objStore stor
 				return
 			}
 
-			if !strings.HasPrefix(req.URL.RequestURI(), "/"+prefix) {
+			prefix := strings.Trim(prefix, "/")
+
+			if !strings.HasPrefix(req.URL.EscapedPath(), "/"+prefix+"/") {
 				next.ServeHTTP(w, req)
 				return
 			}
 
-			rPath := strings.TrimPrefix(req.URL.RequestURI(), "/"+prefix)
+			rPath := strings.TrimPrefix(req.URL.EscapedPath(), "/"+prefix+"/")
 			rPath = strings.TrimPrefix(rPath, "/")
+			if rPath == "" {
+				http.Error(w, "file not found", 404)
+				return
+			}
+			rPath = path.Clean("/" + filepath.ToSlash(rPath))
+			rPath = rPath[1:]
 
 			fi, err := objStore.Stat(rPath)
 			if err == nil && httpcache.HandleTimeCache(req, w, fi) {