fix: fix incomplete URL substring sanitization

fallenbagel · Aug 28, 2024 · d461189 · d461189
1 parent 1306a2a
commit d461189
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 7 deletions.
diff --git a/server/routes/auth.ts b/server/routes/auth.ts
@@ -345,7 +345,7 @@ authRoutes.post('/jellyfin', async (req, res, next) => {
           });
 
           if (
-            user.avatar.startsWith('https://gravatar.com') &&
+            user.avatar.startsWith('https://gravatar.com/') &&
             user.avatar.includes('default=mm&size=200')
           ) {
             user.avatar = 'https://gravatar.com/avatar/?default=mm&size=200';
@@ -371,7 +371,7 @@ authRoutes.post('/jellyfin', async (req, res, next) => {
           });
 
           if (
-            user.avatar.startsWith('https://gravatar.com') &&
+            user.avatar.startsWith('https://gravatar.com/') &&
             user.avatar.includes('default=mm&size=200')
           ) {
             user.avatar = 'https://gravatar.com/avatar/?default=mm&size=200';
@@ -437,7 +437,7 @@ authRoutes.post('/jellyfin', async (req, res, next) => {
         });
 
         if (
-          avatar.startsWith('https://gravatar.com') &&
+          avatar.startsWith('https://gravatar.com/') &&
           avatar.includes('default=mm&size=200')
         ) {
           avatar = 'https://gravatar.com/avatar/?default=mm&size=200';
@@ -500,7 +500,7 @@ authRoutes.post('/jellyfin', async (req, res, next) => {
       });
 
       if (
-        user.avatar.startsWith('https://gravatar.com') &&
+        user.avatar.startsWith('https://gravatar.com/') &&
         user.avatar.includes('default=mm&size=200')
       ) {
         user.avatar = 'https://gravatar.com/avatar/?default=mm&size=200';

diff --git a/server/routes/avatarproxy.ts b/server/routes/avatarproxy.ts
@@ -11,7 +11,7 @@ router.get('/*', async (req, res) => {
 
   try {
     if (
-      imagePath.startsWith('https://gravatar.com') &&
+      imagePath.startsWith('https://gravatar.com/') &&
       imagePath.includes('default=mm&size=200')
     ) {
       imagePath = 'https://gravatar.com/avatar/?default=mm&size=200';

diff --git a/server/routes/user/index.ts b/server/routes/user/index.ts
@@ -125,7 +125,7 @@ router.post(
       let avatar = gravatarUrl(email, { default: 'mm', size: 200 });
 
       if (
-        avatar.startsWith('https://gravatar.com') &&
+        avatar.startsWith('https://gravatar.com/') &&
         avatar.includes('default=mm&size=200')
       ) {
         avatar = 'https://gravatar.com/avatar/?default=mm&size=200';
@@ -565,7 +565,7 @@ router.post(
           });
 
           if (
-            newUser.avatar.startsWith('https://gravatar.com') &&
+            newUser.avatar.startsWith('https://gravatar.com/') &&
             newUser.avatar.includes('default=mm&size=200')
           ) {
             newUser.avatar = 'https://gravatar.com/avatar/?default=mm&size=200';