From 2b91841cd3e1213ff3e4ed4209d6a4be89c2fa79 Mon Sep 17 00:00:00 2001 From: 6543 <6543@obermui.de> Date: Mon, 10 Apr 2023 22:14:16 +0200 Subject: [PATCH] Reserve ".png" suffix for user/org names (#23992) Org/User names ending with ".png" where not functional, so reserve them alternative / close #23908 --- models/user/user.go | 3 ++- tests/integration/user_avatar_test.go | 11 +++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/models/user/user.go b/models/user/user.go index 82c2d3b6c..5709ed7ff 100644 --- a/models/user/user.go +++ b/models/user/user.go @@ -537,7 +537,8 @@ var ( "gitea-actions", } - reservedUserPatterns = []string{"*.keys", "*.gpg", "*.rss", "*.atom"} + // DON'T ADD ANY NEW STUFF, WE SOLVE THIS WITH `/user/{obj}` PATHS! + reservedUserPatterns = []string{"*.keys", "*.gpg", "*.rss", "*.atom", "*.png"} ) // IsUsableUsername returns an error when a username is reserved diff --git a/tests/integration/user_avatar_test.go b/tests/integration/user_avatar_test.go index 7aeba6a33..ec5813df0 100644 --- a/tests/integration/user_avatar_test.go +++ b/tests/integration/user_avatar_test.go @@ -5,6 +5,7 @@ package integration import ( "bytes" + "fmt" "image/png" "io" "mime/multipart" @@ -77,6 +78,16 @@ func TestUserAvatar(t *testing.T) { req = NewRequest(t, "GET", user2.AvatarLinkWithSize(db.DefaultContext, 0)) _ = session.MakeRequest(t, req, http.StatusOK) + testGetAvatarRedirect(t, user2) + // Can't test if the response matches because the image is re-generated on upload but checking that this at least doesn't give a 404 should be enough. }) } + +func testGetAvatarRedirect(t *testing.T, user *user_model.User) { + t.Run(fmt.Sprintf("getAvatarRedirect_%s", user.Name), func(t *testing.T) { + req := NewRequestf(t, "GET", "/%s.png", user.Name) + resp := MakeRequest(t, req, http.StatusSeeOther) + assert.EqualValues(t, fmt.Sprintf("/avatars/%s", user.Avatar), resp.Header().Get("location")) + }) +}