40 lines
963 B
Diff
40 lines
963 B
Diff
diff --git a/pkg/api/avatar/avatar.go b/pkg/api/avatar/avatar.go
|
|
--- a/pkg/api/avatar/avatar.go
|
|
+++ b/pkg/api/avatar/avatar.go
|
|
@@ -17,14 +17,15 @@ import (
|
|
"net/http"
|
|
"net/url"
|
|
"path/filepath"
|
|
+ "regexp"
|
|
"strconv"
|
|
"strings"
|
|
"sync"
|
|
"time"
|
|
|
|
"github.com/grafana/grafana/pkg/infra/log"
|
|
+ "github.com/grafana/grafana/pkg/models"
|
|
"github.com/grafana/grafana/pkg/setting"
|
|
- "gopkg.in/macaron.v1"
|
|
|
|
gocache "github.com/patrickmn/go-cache"
|
|
)
|
|
@@ -97,9 +98,15 @@ type CacheServer struct {
|
|
cache *gocache.Cache
|
|
}
|
|
|
|
-func (this *CacheServer) Handler(ctx *macaron.Context) {
|
|
- urlPath := ctx.Req.URL.Path
|
|
- hash := urlPath[strings.LastIndex(urlPath, "/")+1:]
|
|
+var validMD5 = regexp.MustCompile("^[a-fA-F0-9]{32}$")
|
|
+
|
|
+func (this *CacheServer) Handler(ctx *models.ReqContext) {
|
|
+ hash := ctx.Params("hash")
|
|
+
|
|
+ if len(hash) != 32 || !validMD5.MatchString(hash) {
|
|
+ ctx.JsonApiErr(404, "Avatar not found", nil)
|
|
+ return
|
|
+ }
|
|
|
|
var avatar *Avatar
|
|
|