fix: fix incomplete URL substring sanitization

2025-12-24 02:39:18 -05:00 · 2024-08-28 14:21:07 +00:00
parent 14fdd4e293
commit cbf3bbb17d
3 changed files with 7 additions and 7 deletions
--- a/server/routes/auth.ts
+++ b/server/routes/auth.ts
@@ -345,7 +345,7 @@ authRoutes.post('/jellyfin', async (req, res, next) => {
          });

          if (
-            user.avatar.startsWith('https://gravatar.com') &&
+            user.avatar.startsWith('https://gravatar.com/') &&
            user.avatar.includes('default=mm&size=200')
          ) {
            user.avatar = 'https://gravatar.com/avatar/?default=mm&size=200';
@@ -371,7 +371,7 @@ authRoutes.post('/jellyfin', async (req, res, next) => {
          });

          if (
-            user.avatar.startsWith('https://gravatar.com') &&
+            user.avatar.startsWith('https://gravatar.com/') &&
            user.avatar.includes('default=mm&size=200')
          ) {
            user.avatar = 'https://gravatar.com/avatar/?default=mm&size=200';
@@ -437,7 +437,7 @@ authRoutes.post('/jellyfin', async (req, res, next) => {
        });

        if (
-          avatar.startsWith('https://gravatar.com') &&
+          avatar.startsWith('https://gravatar.com/') &&
          avatar.includes('default=mm&size=200')
        ) {
          avatar = 'https://gravatar.com/avatar/?default=mm&size=200';
@@ -500,7 +500,7 @@ authRoutes.post('/jellyfin', async (req, res, next) => {
      });

      if (
-        user.avatar.startsWith('https://gravatar.com') &&
+        user.avatar.startsWith('https://gravatar.com/') &&
        user.avatar.includes('default=mm&size=200')
      ) {
        user.avatar = 'https://gravatar.com/avatar/?default=mm&size=200';
--- a/server/routes/avatarproxy.ts
+++ b/server/routes/avatarproxy.ts
@@ -11,7 +11,7 @@ router.get('/*', async (req, res) => {

  try {
    if (
-      imagePath.startsWith('https://gravatar.com') &&
+      imagePath.startsWith('https://gravatar.com/') &&
      imagePath.includes('default=mm&size=200')
    ) {
      imagePath = 'https://gravatar.com/avatar/?default=mm&size=200';
--- a/server/routes/user/index.ts
+++ b/server/routes/user/index.ts
@@ -125,7 +125,7 @@ router.post(
      let avatar = gravatarUrl(email, { default: 'mm', size: 200 });

      if (
-        avatar.startsWith('https://gravatar.com') &&
+        avatar.startsWith('https://gravatar.com/') &&
        avatar.includes('default=mm&size=200')
      ) {
        avatar = 'https://gravatar.com/avatar/?default=mm&size=200';
@@ -565,7 +565,7 @@ router.post(
          });

          if (
-            newUser.avatar.startsWith('https://gravatar.com') &&
+            newUser.avatar.startsWith('https://gravatar.com/') &&
            newUser.avatar.includes('default=mm&size=200')
          ) {
            newUser.avatar = 'https://gravatar.com/avatar/?default=mm&size=200';